topic Re: Splunk and Port Mirroring in Security

Splunk and Port Mirroring

bin00010111 — Wed, 29 Feb 2012 16:02:31 GMT

I have 2 options to get my data indexed.

I am using a Mikrotik router. I can do packet sniffer/streaming options to wireshark. (I don't care for this idea)

If i do port mirroring to splunk, what port does it come in on? Is there any way to capture this with splunk? Without being so specific? If I say tcp port 80, then only that gets caught, but I want all of it to get caught by splunk.

Re: Splunk and Port Mirroring

jbsplunk — Wed, 29 Feb 2012 16:12:51 GMT

Start here:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Splunk can monitor specific ports for traffic, though that isn't always the ideal approach.

Re: Splunk and Port Mirroring

bin00010111 — Wed, 29 Feb 2012 16:16:53 GMT

I agree, I do not want specific ports. I want to capture ALL that data. But because a port mirror just send data as-it-is to the ip, splunk cant sperate it from any other data I havee coming from another source. Maybe that should be in next release. Option to recieve a port mirror somehow.

Like having a 2nd nic in splunk server and all data on that nic if from the port mirror.

Re: Splunk and Port Mirroring

jbsplunk — Wed, 29 Feb 2012 16:24:01 GMT

Splunk can monitor specific ports, but not an entire interface. It isn't meant to watch an entire interface like an IDS or a Firewall would do. What is the use case you're trying to address?

Re: Splunk and Port Mirroring

Drainy — Wed, 29 Feb 2012 16:37:02 GMT

I'm assuming you're looking to directly index packet data? You're probably best dedicating an interface as the the input and connect it to the mirrored / span port and then run something like tcpdump on the interface to collect the data and run it as a scripted input into Splunk.
Thats how I have done this in the past when doing some security research.

If that is what you are after then you need to also consider your license usage as this will destroy it, you may want to do some more filtering at a scripted/programmatic level before reading anything into Splunk

Re: Splunk and Port Mirroring

bin00010111 — Thu, 01 Mar 2012 19:49:05 GMT

Okay, I have been trying to easily index and report on the websites vistied by users on my network.

I have tried untangle, which is AWESOME, BUT, doesnt play well with my network since I have mulitple subnets. Or my voip phones (because of the subnet issue)

I have thought about squid, but it's a caching/proxy. Do not want to redirect everything. Or have a server inline (Untangle)

I would just really like to port mirror evertything to an ip and the machine at that ip grab the data and report on it.

Tried wireshark, but it doesnt report that way I want. Untangle has the best reporting, just sucks it wont work well with my net and wants to be inline, i.e; Router-->Untangle-->Switch

Any ideas? Thanks for the help.

Re: Splunk and Port Mirroring

Ayn — Thu, 01 Mar 2012 23:00:34 GMT

It sounds to le like you're mixing up concepts a bit. Splunk is not a network packet monitor. Neither is Squid. You might want to look at urlsnarf from the dsniff tools, or or justsniffer and then if you want you can configure Splunk to read the output.

EDIT: Note that you obviously won't be able to read whatever HTTPS traffic your users are generating. If you want to do that, you'll need to setup a proxy they go through and essentially perform a man-in-the-middle attack with on-the-fly generated certificates.

Re: Splunk and Port Mirroring

bin00010111 — Fri, 02 Mar 2012 15:46:24 GMT

OH NO!! No https stuff. Just trying to get insight as to what people are doing with their time so we can take action accordingly on the network.

I appreciate your help!!