Splunk and Tor exit nodes

We wanted a way to figure out if a "bad actor" was using TOR to connect to our servers/resources. So I thought: "SPLUNK TO THE RESCUE!"

I am a Windows guy, so I wrote a Powershell script to retrieve a list of TOR exit nodes and write them to a file.  Then I use SPLUNK to pick up that file, index it, and extract the interesting fields to then use in other SPLUNK dashboards/reports/whatever.

--------------------------------------------

automated task:

program/script: powershell.exe
Add arguments: -file "C:\SplunkInput\Scripts\Get-TorExitNodeList.ps1" -NoProfile
Start in: C:\SplunkInput\Scripts\

---------------------------------

POSH Script:

<#

.SYNOPSIS



            Gets the list of tor exit nodes from the TOR project, put them in a file







            .DESCRIPTION



            Gets the list of tor exit nodes from the TOR project, put them in a file for other use (like SPLUNK). 

            Will by default write to "C:\SplunkInput\TorExitNode\TorExitNode.txt"



         



            .EXAMPLE



           ./Get-TorExitNodeList.ps1







            .NOTES



            I recommend you run this as a scheduled task, every 5 min or so, as the list changes often.

            I recommend you use a SPLUNK forwarder to take this file and index it.

            Created by Bryan Loveless

            Bryan.Loveless@gmail.com

            July 2016



#>





#cleanup the old log files
remove-item C:\SplunkInput\TorExitNode\TorExitNode*.txt

#get the current date/time to create a new file
$now = (Get-Date).ToString("s").Replace(":","-")
$file = "C:\SplunkInput\TorExitNode\TorExitNode" + $now + ".txt"

#request the list of exit nodes, appending them to the file created above.
((invoke-webrequest -uri https://check.torproject.org/exit-addresses -UseBasicParsing).rawcontent) | out-file $file -Append

------------------------------------------------------------------

For the SPLUNK forwarder, input.conf:
[monitor://C:\SplunkInput\TorExitNode]
crcSalt = <SOURCE>
#initCrcLength = 4096
disabled = 0
sourcetype = TorExitNodeList
index = tor

------------------------------------------------------------

For the SPLUNK field extraction, props.conf:

[TorExitNodeList]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Tor Exit Node List
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER=14
#LINE_BREAKER = \bLastStatus\b
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ExitNode
EXTRACT-ip-torexitnode = ^\w+\s+(?P<ip>[^ ]+)
EXTRACT-Last_Checkin_Date,Last_Checkin_Time = ^(?:[^ \n]* ){2}(?P<Last_Checkin_Date>[^ ]+)\s+(?P<Last_Checkin_Time>\d+:\d+:\d+)

-------------------------------------------------------------------

References:
http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Howlogfilerotationishandled