Tuesday, July 12, 2016

Splunk and Tor exit nodes

We wanted a way to figure out if a "bad actor" was using TOR to connect to our servers/resources. So I thought: "SPLUNK TO THE RESCUE!"

I am a Windows guy, so I wrote a Powershell script to retrieve a list of TOR exit nodes and write them to a file.  Then I use SPLUNK to pick up that file, index it, and extract the interesting fields to then use in other SPLUNK dashboards/reports/whatever.

--------------------------------------------

automated task:

program/script: powershell.exe
Add arguments: -file "C:\SplunkInput\Scripts\Get-TorExitNodeList.ps1" -NoProfile
Start in: C:\SplunkInput\Scripts\

---------------------------------

POSH Script:

<#

.SYNOPSIS



            Gets the list of tor exit nodes from the TOR project, put them in a file







            .DESCRIPTION



            Gets the list of tor exit nodes from the TOR project, put them in a file for other use (like SPLUNK). 

            Will by default write to "C:\SplunkInput\TorExitNode\TorExitNode.txt"



         



            .EXAMPLE



           ./Get-TorExitNodeList.ps1







            .NOTES



            I recommend you run this as a scheduled task, every 5 min or so, as the list changes often.

            I recommend you use a SPLUNK forwarder to take this file and index it.

            Created by Bryan Loveless

            Bryan.Loveless@gmail.com

            July 2016



#>





#cleanup the old log files
remove-item C:\SplunkInput\TorExitNode\TorExitNode*.txt

#get the current date/time to create a new file
$now = (Get-Date).ToString("s").Replace(":","-")
$file = "C:\SplunkInput\TorExitNode\TorExitNode" + $now + ".txt"

#request the list of exit nodes, appending them to the file created above.
((invoke-webrequest -uri https://check.torproject.org/exit-addresses -UseBasicParsing).rawcontent) | out-file $file -Append

------------------------------------------------------------------

For the SPLUNK forwarder, input.conf:
[monitor://C:\SplunkInput\TorExitNode]
crcSalt = <SOURCE>
#initCrcLength = 4096
disabled = 0
sourcetype = TorExitNodeList
index = tor

------------------------------------------------------------

For the SPLUNK field extraction, props.conf:

[TorExitNodeList]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Tor Exit Node List
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER=14
#LINE_BREAKER = \bLastStatus\b
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ExitNode
EXTRACT-ip-torexitnode = ^\w+\s+(?P<ip>[^ ]+)
EXTRACT-Last_Checkin_Date,Last_Checkin_Time = ^(?:[^ \n]* ){2}(?P<Last_Checkin_Date>[^ ]+)\s+(?P<Last_Checkin_Time>\d+:\d+:\d+)

-------------------------------------------------------------------

References:
http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Howlogfilerotationishandled



Posted by Unknown 37 comments

Wednesday, May 18, 2016

Visual Studio POSH snippet, DocuComment

I am trying to get into more Visual Studio (as that is what "real" programmers use).... and to my delight, I found out that PowerShell is more supported than ever before in VS 2015.  Perhaps I can finally put away my childish things (ISE) and move onto something much more unnecessarily complicated.   So when I read about "code snippets" I was excited... but....

 No matter how much I searched, I could not find one for a simple "documentation block."  You know, the one with the ".Synopsis", and ".Example" that we are supposed to use in our scripts, but never do?  Perhaps I can make the world a better place by figuring it out and allowing others to use it.  Now you have no excuse to not document your code better, you are just three clicks away from having the "DocuComment" block created for you!

You will need to put the code below in to a file with an extension of ".snippet" and import it into VS.
(Details of this can be found at: https://msdn.microsoft.com/en-us/library/9ybhaktf(v=vs.100).aspx )

DocuComment.snippet :

<?xml version="1.0" encoding="utf-8" ?>
<CodeSnippets  xmlns="http://schemas.microsoft.com/VisualStudio/2005/CodeSnippet">
  <CodeSnippet Format="1.0.0">
    <Header>
      <Title>DocuComment Block</Title>
      <Shortcut>docucomment</Shortcut>
      <Description>Code snippet for a comment block.</Description>
      <Author>Bryan Loveless bryan.loveless@gmail.com</Author>
      <SnippetTypes>
        <SnippetType>Expansion</SnippetType>
        <SnippetType>SurroundsWithStatement</SnippetType>
      </SnippetTypes>
    </Header>
    <Snippet>
      <Declarations>
        <Literal>
          <ID>param1</ID>
          <ToolTip>DocuComment</ToolTip>
          <Default>
            .SYNOPSIS

            synopsis of script, overall idea



            .DESCRIPTION

            description of overall script, more detail than synopsis



            .PARAMETER parameternamehere

            parameter description, if required, possible values



            .PARAMETER path

            parameter path



            .EXAMPLE

            example of script use, return behavior.



            .EXAMPLE

            another exmample if there are more.  This can be repeated for as many examples as you want



            .NOTES

            other misc notes, perhaps permissions needed, dates of script.
          </Default>
        </Literal>
      </Declarations>
      <References />
      <Code Language="PowerShell">
        <![CDATA[<#
$param1$
$selected$ $end$
#>]]>
      </Code>
    </Snippet>
  </CodeSnippet>
</CodeSnippets>
Posted by Unknown 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)