Tuesday, July 12, 2016

Splunk and Tor exit nodes

We wanted a way to figure out if a "bad actor" was using TOR to connect to our servers/resources. So I thought: "SPLUNK TO THE RESCUE!"

I am a Windows guy, so I wrote a Powershell script to retrieve a list of TOR exit nodes and write them to a file.  Then I use SPLUNK to pick up that file, index it, and extract the interesting fields to then use in other SPLUNK dashboards/reports/whatever.


automated task:

program/script: powershell.exe
Add arguments: -file "C:\SplunkInput\Scripts\Get-TorExitNodeList.ps1" -NoProfile
Start in: C:\SplunkInput\Scripts\


POSH Script:



            Gets the list of tor exit nodes from the TOR project, put them in a file


            Gets the list of tor exit nodes from the TOR project, put them in a file for other use (like SPLUNK). 

            Will by default write to "C:\SplunkInput\TorExitNode\TorExitNode.txt"





            I recommend you run this as a scheduled task, every 5 min or so, as the list changes often.

            I recommend you use a SPLUNK forwarder to take this file and index it.

            Created by Bryan Loveless


            July 2016


#cleanup the old log files
remove-item C:\SplunkInput\TorExitNode\TorExitNode*.txt

#get the current date/time to create a new file
$now = (Get-Date).ToString("s").Replace(":","-")
$file = "C:\SplunkInput\TorExitNode\TorExitNode" + $now + ".txt"

#request the list of exit nodes, appending them to the file created above.
((invoke-webrequest -uri https://check.torproject.org/exit-addresses -UseBasicParsing).rawcontent) | out-file $file -Append


For the SPLUNK forwarder, input.conf:
crcSalt = <SOURCE>
#initCrcLength = 4096
disabled = 0
sourcetype = TorExitNodeList
index = tor


For the SPLUNK field extraction, props.conf:

category = Custom
description = Tor Exit Node List
disabled = false
pulldown_type = true
#LINE_BREAKER = \bLastStatus\b
EXTRACT-ip-torexitnode = ^\w+\s+(?P<ip>[^ ]+)
EXTRACT-Last_Checkin_Date,Last_Checkin_Time = ^(?:[^ \n]* ){2}(?P<Last_Checkin_Date>[^ ]+)\s+(?P<Last_Checkin_Time>\d+:\d+:\d+)