Tuesday, July 12, 2016

Splunk and Tor exit nodes

We wanted a way to figure out if a "bad actor" was using TOR to connect to our servers/resources. So I thought: "SPLUNK TO THE RESCUE!"

I am a Windows guy, so I wrote a Powershell script to retrieve a list of TOR exit nodes and write them to a file.  Then I use SPLUNK to pick up that file, index it, and extract the interesting fields to then use in other SPLUNK dashboards/reports/whatever.

--------------------------------------------

automated task:

program/script: powershell.exe
Add arguments: -file "C:\SplunkInput\Scripts\Get-TorExitNodeList.ps1" -NoProfile
Start in: C:\SplunkInput\Scripts\

---------------------------------

POSH Script:

<#

.SYNOPSIS



            Gets the list of tor exit nodes from the TOR project, put them in a file







            .DESCRIPTION



            Gets the list of tor exit nodes from the TOR project, put them in a file for other use (like SPLUNK). 

            Will by default write to "C:\SplunkInput\TorExitNode\TorExitNode.txt"



         



            .EXAMPLE



           ./Get-TorExitNodeList.ps1







            .NOTES



            I recommend you run this as a scheduled task, every 5 min or so, as the list changes often.

            I recommend you use a SPLUNK forwarder to take this file and index it.

            Created by Bryan Loveless

            Bryan.Loveless@gmail.com

            July 2016



#>





#cleanup the old log files
remove-item C:\SplunkInput\TorExitNode\TorExitNode*.txt

#get the current date/time to create a new file
$now = (Get-Date).ToString("s").Replace(":","-")
$file = "C:\SplunkInput\TorExitNode\TorExitNode" + $now + ".txt"

#request the list of exit nodes, appending them to the file created above.
((invoke-webrequest -uri https://check.torproject.org/exit-addresses -UseBasicParsing).rawcontent) | out-file $file -Append




------------------------------------------------------------------

For the SPLUNK forwarder, input.conf:
[monitor://C:\SplunkInput\TorExitNode]
crcSalt = <SOURCE>
#initCrcLength = 4096
disabled = 0
sourcetype = TorExitNodeList
index = tor

------------------------------------------------------------

For the SPLUNK field extraction, props.conf:

[TorExitNodeList]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
description = Tor Exit Node List
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER=14
#LINE_BREAKER = \bLastStatus\b
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = ExitNode
EXTRACT-ip-torexitnode = ^\w+\s+(?P<ip>[^ ]+)
EXTRACT-Last_Checkin_Date,Last_Checkin_Time = ^(?:[^ \n]* ){2}(?P<Last_Checkin_Date>[^ ]+)\s+(?P<Last_Checkin_Time>\d+:\d+:\d+)

-------------------------------------------------------------------

References:
http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Howlogfilerotationishandled



38 comments:

  1. Very nice post here thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.

    ccna training in chennai Tnagar

    ReplyDelete
  2. I’ve been browsing on-line greater than three hours today, but I never discovered any attention-grabbing article like yours. It is beautiful worth sufficient for me. Personally, if all webmasters and bloggers made good content material as you did, the net will be a lot more helpful than ever before.

    SMO Services Chennai

    ReplyDelete
  3. I really appreciate the information shared above. It’s of great help. If someone wants to learn Online (Virtual) instructor lead live training in Splunk TECHNOLOGY, kindly contact us http://www.maxmunus.com/contact
    MaxMunus Offer World Class Virtual Instructor-led training on TECHNOLOGY. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ pieces of training in India, USA, UK, Australia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Pratik Shekhar
    MaxMunus
    E-mail: pratik@maxmunus.com
    Ph:(0) +91 9066268701
    http://www.maxmunus.com/

    ReplyDelete
  4. Being new to the blogging world I feel like there is still so much to learn. Your tips helped to clarify a few things for me as well as giving..
    Texting API
    Text message marketing
    Digital Mobile Marketing
    Mobile Marketing Services
    Mobile marketing companies
    Fitness SMS

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. I likable the posts and offbeat format you've got here! I’d wish many thanks for sharing your expertise and also the time it took to post!!
    python training in chennai
    python course institute in chennai

    ReplyDelete
  7. Very nice post here and thanks for it .I always like and such a super contents of these post.
    Excellent and very cool idea and great content of different kinds of the valuable information's.

    Java training in Bangalore



    ReplyDelete
  8. Thank you for an additional great post. Exactly where else could anybody get that kind of facts in this kind of a ideal way of writing? I have a presentation next week, and I’m around the appear for this kind of data.
    Data science course in bangalore | Data Science training with placement in Bangalore

    ReplyDelete
  9. I ReGreat For Your Information The Information U have Shared Is Fabulous And Interesting So Please keep Updating Us The Information Shared Is Very Valuable Time Just Went On Reading The Article Python Online Course AWS Online Course Data Science Online Course Hadoop Online Course

    ReplyDelete
  10. Nice Post! Thank you for sharing very good post, it was so Nice to read and useful to improve my knowledge as updated one, keep blogging.
    Angular js Training in Electronic City

    ReplyDelete
  11. The points you have mentioned are those that attract attention and should be used wisely. This is an extremely abundant benefit for everyone ... thank you for providing such useful data types.

    DedicatedHosting4u.com

    ReplyDelete
  12. I read this post two times, I like it so much, please try to keep posting & Let me introduce other material that may be good for our community.

    ReplyDelete
  13. I read this post two times, I like it so much, please try to keep posting & Let me introduce other material that may be good for our community. data science courses

    ReplyDelete
  14. Very nice post here and thanks for latest smartphone applications it .I always like and such a super colors of phone for these post.Excellent and very cool idea and great models and different kinds of the more information's.
    angular js training in chennai

    angular js training in omr

    full stack training in chennai

    full stack training in omr

    php training in chennai

    php training in omr

    photoshop training in chennai

    photoshop training in omr

    ReplyDelete
  15. I think I have never seen such blogs before that have completed things with all the details which I want. So kindly update this ever for us.

    Data Science Training in Hyderabad

    ReplyDelete
  16. There are plenty of options when it comes to digital gift-giving. From food delivery vouchers to subscription boxes, we hope you now have a few ideas you can use to wow your conference attendees and partners at your next virtual event. event management and thank you letter after meeting with business partner

    ReplyDelete
  17. I truly like you're composing style, incredible data, thankyou for posting.
    data scientist training and placement in hyderabad

    ReplyDelete
  18. This website is remarkable information and facts it's really excellent
    data scientist training and placement in hyderabad

    ReplyDelete
  19. Ich möchte DR. AKHERE für die wundervolle Arbeit danken, die er für mich und meine Familie geleistet hat. Ich hatte eine ernsthafte Trennung von meinem Ex, aber als ich ihn um Hilfe bat, brachte er ihn mit seinen historischen Kräften zu mir zurück und half mir auch dabei einen Job zu bekommen, da er mich verzaubert hat, hat es mir wirklich gut getan und seit ich ihn kenne, ist mein Mann mir treu geblieben Hilfe, wenn Sie mit einer Trennung oder einem Eheproblem konfrontiert sind, wenden Sie sich einfach an diesen Mann, um Hilfe zu erhalten. Er wird Ihnen helfen, alles mit seiner Macht zu regeln. Bitte kontaktieren Sie ihn über seine E-Mail: AKHERETEMPLE@gmail.com oder rufen Sie / whatsapp: +2349057261346 an Ihre Probleme werden gelöst.


































































    Ich möchte DR. AKHERE für die wundervolle Arbeit danken, die er für mich und meine Familie geleistet hat. Ich hatte eine ernsthafte Trennung von meinem Ex, aber als ich ihn um Hilfe bat, brachte er ihn mit seinen historischen Kräften zu mir zurück und half mir auch dabei einen Job zu bekommen, da er mich verzaubert hat, hat es mir wirklich gut getan und seit ich ihn kenne, ist mein Mann mir treu geblieben Hilfe, wenn Sie mit einer Trennung oder einem Eheproblem konfrontiert sind, wenden Sie sich einfach an diesen Mann, um Hilfe zu erhalten. Er wird Ihnen helfen, alles mit seiner Macht zu regeln. Bitte kontaktieren Sie ihn über seine E-Mail: AKHERETEMPLE@gmail.com oder rufen Sie / whatsapp: +2349057261346 an Ihre Probleme werden gelöst.

    ReplyDelete
  20. Polyoxypropylene Glycerol Ether Market 2022 Share, Trend, Segmentation and Forecast to 2028
    Summary

    A New Market Study, Titled “Polyoxypropylene Glycerol Ether Market Upcoming Trends, Growth Drivers and Challenges” has been featured on fusionmarketresearch.

    This report provides in-depth study of ‘Polyoxypropylene Glycerol Ether Market ‘using SWOT analysis i.e. strength, weakness, opportunity and threat to Organization. The Polyoxypropylene Glycerol Ether Market report also provides an in-depth survey of major market players which is based on the various objectives of an organization such as profiling, product outline, production quantity, raw material required, and production. The financial health of the organization.

    Polyoxypropylene Glycerol Ether Market

    ReplyDelete
  21. Great post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more. data science course in surat

    ReplyDelete
  22. very charming case. i've basically found your blog and cherished considering your weblog posts entirely bounty. I'm searching out new presents on get safeguard of more prominent bombastic data. large thank you for the advantageous information. Microsoft Office 2019 Crack

    ReplyDelete
  23. Goodness, super make regarded. i'd once to draft rearward of this too - taking period and genuine chafing achievement to make a massive article. This verification has asked me to consider unequivocal presents that i'm going on record quickly. TallTally ERP 9 Free Download

    ReplyDelete
  24. I truly adored visiting your post and this content was very unique. Thanks a lot for sharing this...
    Spousal Support in VA
    Spousal Support in Virginia

    ReplyDelete
  25. Thanks so much for the great article! It has posts that are amazing and helpful. Keep it up
    Valhalla DSP Valhalla

    ReplyDelete
  26. Only parameters active in a specific MODE are visible in the GUI. The STYLE button is one of Valhalla Delay’s most powerful features. It controls the ratio between the left and right delay channels and the number of delay voices in each channel. get at valhalla reverb crack

    ReplyDelete