All Apps and Add-ons

Example of how to detect Tor traffic?

sloshburch
Ultra Champion

Does anyone have examples of how to use Splunk to detect Tor traffic?

0 Karma
1 Solution

sloshburch
Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

The Tor anonymity network is the perfect place to hide command-and-control, exfiltration, or ransomware payment through bitcoin. This example finds ransomware activity based on firewall logs.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.

Basic TOR Traffic Detection

Load data

How to implement: This use case requires you to index data from a source that does protocol analysis to determine the type of network traffic being used, regardless of the port associated with the traffic. This data is often available from next-generation firewalls or other traffic analysis tools, such as Splunk Stream or Bro.

Data check: This use case requires network traffic with the app field populated.

Get insights

This example use case looks for ransomware activity based on firewall logs.

Use the following search:

index=* app=tor src_ip=* 
((tag=network tag=communicate) OR (sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa OR sourcetype=stream*))
| table _time src_ip src_port dest_ip dest_port bytes app

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: When this search returns values, verify your organization's policies for accessing and utilizing the Tor network. Contact the user and system owner about the action to determine if they authorized the action. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person initiated the action and more investigation is warranted.

Help

If the search produces no results, it means that no activity with the Tor anonymity network occurred. To see the data returned for non-TOR events, toggle the search from app=tor to app!=tor.

To ingest network traffic logs, consider using Splunk Stream. To ensure the app field is populated, use a next-generation firewall or similar tool to identify the application layer protocol.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

The Tor anonymity network is the perfect place to hide command-and-control, exfiltration, or ransomware payment through bitcoin. This example finds ransomware activity based on firewall logs.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.

Basic TOR Traffic Detection

Load data

How to implement: This use case requires you to index data from a source that does protocol analysis to determine the type of network traffic being used, regardless of the port associated with the traffic. This data is often available from next-generation firewalls or other traffic analysis tools, such as Splunk Stream or Bro.

Data check: This use case requires network traffic with the app field populated.

Get insights

This example use case looks for ransomware activity based on firewall logs.

Use the following search:

index=* app=tor src_ip=* 
((tag=network tag=communicate) OR (sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa OR sourcetype=stream*))
| table _time src_ip src_port dest_ip dest_port bytes app

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: When this search returns values, verify your organization's policies for accessing and utilizing the Tor network. Contact the user and system owner about the action to determine if they authorized the action. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person initiated the action and more investigation is warranted.

Help

If the search produces no results, it means that no activity with the Tor anonymity network occurred. To see the data returned for non-TOR events, toggle the search from app=tor to app!=tor.

To ingest network traffic logs, consider using Splunk Stream. To ensure the app field is populated, use a next-generation firewall or similar tool to identify the application layer protocol.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Ultra Champion

Update: I added a related video.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.