Lab 8 Splunk Boss of The SOC (15 Pts + 20 Pts Extra)
Lab 8 Splunk Boss of The SOC (15 Pts + 20 Pts Extra)
Lab 8 Splunk Boss of The SOC (15 Pts + 20 Pts Extra)
Purpose
To learn basics of Splunk usage, with a free online data set and server.
Creating an Account
In a browser, go to
http://live.splunk.com/splunk-security-dataset-project
General Information
Go through the tour.
At the bottom of the next page check the three boxes labelled "Lab info", "Data Summary", and "Supporting Apps", as shown below.
Source Types
Notice the "Data by Sourcetypes" section, as shown below.
At the bottom of the page, in the "Navigation"section, click "Next: Reviewing All Data Available".
At the bottom of the next page, in the "Choose a Scenario" section, click "APT Scenario".
As shown below, the Lockheed-Martin Kill Chain shows that the first step in an attack is "Reconnaissance", which in this case includes scanning the
website with a vulnerability scanner.
Vulnerability scanners send thousands of request to the Web server, so the scan should be easy to see in the event data.
At the bottom, click the "Next: Finding the IP Scanning Your Web Server" link.
On the next page, in the "Identify sourcetypes Associated with Search Values" section, click click the green "Run Search in New Tab" button, as shown
below.
After a few seconds, Splunk finds all 76,683 events including the text "imreallynotbatman.com", as shown below.
The timeline at the top shows a chart with green bars indicating the number of events in various time intervals.
The lower left shows a list of "Selected fields", and the lower right shows individual events.
Scroll down to examine an event, as shown below.
On the right side, the event data is shown as name:value pairs, with the names in red and the data in green or blue. The last line in each event shows the
"Selected fields" in a single line.
On the left side, the "Selected fields" appear, with a field name in blue and the number of different values found for that field after it, in gray. For this data,
there are 4 different "sourcetype" values and 3 "src_ip" values, outlined in green in the image below.
A box pops up showing the 4 values, and how many times each value was found, as shown below.
In the lower left, in the "Selected Fields" section, click src_ip.
The IP "40.80.148.42" appears in the majority of events, 76% of them. This is a likely suspect for the attacker.
It comes from an IDS, so this event indicates that something was detected as suspicious, not just a normal Web request.
Scroll down and examine event 2, as shown below. There's a lot of data here, from a source of "strem:http". It contains IP addresses, MAC addresses, the
HTML source of the response (in the src_content field), the HTTP headers (in the src_headers field), and more.
Examining HTTP Events
In the "New Search" page, scroll back to the top.
In the lower left, in the "Selected Fields" list, click sourcetype as shown below.
Splunk performs a new search, adding
sourcetype="stream:http"
The IP "40.80.148.42" is the source for 94% of the HTTP events, as shown below.
This result shows that IP "40.80.148.42" sent a large amount of HTTP traffic, but it doesn't prove that the traffic was malicious.
Splunk performs the original search again, finding 76,683 events, as shown below.
In the lower left, in the "Selected Fields" list, click sourcetype.
In the "sourcetype" box, click suricata, which is outlined in green in the image above.
In the "signature" box shows the IDS signatures that were detected, outlined in green in the image below.
Now we can see that this is definitely attack traffic, including "Cross Site Scripting", "SQL Injection", and more.
In the lower left, in the "Selected Fields" list, click src_ip.
Click the IP address we wish to examine, that is, 40.80.148.42, outlined in green in the image below.
Splunk performs a new search, including only Suricata events from "40.80.148.42". It finds 17,484 events, as shown below.
In the "signature" box shows the IDS signatures that were detected, outlined in green in the image below.
Now we can see that this IP address is definitely sending attack traffic, including "Cross Site Scripting", "SQL Injection", and more.
Identifying the Web Vulnerability Scanner
To identify the scanner, we'll use the stream:http data again.
In the "New Search" page, at the top, remove sourcetype=suricata from the query.
In the "sourcetype" box, click stream:http, which is outlined in green in the image below.
Splunk performs a new search, finding 20,932 events, as shown below.
In the lower left, scroll down to find src_headers, as shown below, and click it.
The headers include the brand name of the vulnerability scanner, as outlined in green in the image below.
Notice the directory name, which is covered by a green box in the image below. Enter it into the form below.
7.1: Recording Your Success (15 pts)
Use the form below to record your score in Canvas.
Name or Email:
Directory:
CCSF Student
Non-CCSF Student
What IP address is likely attempting a brute force password attack against imnotreallybatman.com?
Name or Email:
IP:
CCSF Student
Non-CCSF Student
Search VirusTotal.com and find the date that file first was seen in the wild, which is covered by a green box in the image below.
Name or Email:
Date:
CCSF Student
Non-CCSF Student
Sources
Use fields to search
Posted 9-10-18