Re: Home Monitor 4.3.0: Why do I see no IN Bound o...

fareastenders · ‎01-09-2016

Love the idea of Home Monitor and really want to get it to work.

I'm running Home Monitor 4.3.0 on Splunk 6.3.2. DD-WRT v3.0-r27734 on a DIR 686L.

Set up Home Monitor initially with dd-wrt sourcetype and produced problem below. Then re-ran /homemonitor/apps/local/homemonitor/setup and set sourcetype as syslog and produced same problem.

There are many Events but no IN Bound or OUT Bound events. See (imgur image ID 1YTTUs8 if the link doesn't work)

Have sample output from DD-WRT, extract below:

2016-01-10 14:59:57 Kernel.Warning  192.168.28.1    Jan 10 06:59:57 kernel: ACCEPT IN=vlan2 OUT=br0 MAC=78:54:2e:4e:13:c9:00:17:10:85:ab:92:08:00:45:00:00:8f SRC=218.15.145.194 DST=192.168.28.57 LEN=143 TOS=0x00 PREC=0x00 TTL=43 ID=4934 PROTO=UDP SPT=14392 DPT=19598 LEN=123 MARK=0xa000 
2016-01-10 14:59:57 Kernel.Warning  192.168.28.1    Jan 10 06:59:57 kernel: ACCEPT IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:ba:67:d7:f2:08:00 SRC=192.168.28.11 DST=192.168.28.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23255 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x35400 
2016-01-10 14:59:57 Kernel.Warning  192.168.28.1    Jan 10 06:59:57 kernel: ACCEPT IN=vlan2 OUT=br0 MAC=78:54:2e:4e:13:c9:00:17:10:85:ab:92:08:00:45:00:00:84 SRC=123.26.105.194 DST=192.168.28.57 LEN=132 TOS=0x00 PREC=0x00 TTL=113 ID=15843 PROTO=UDP SPT=10538 DPT=19598 LEN=112 MARK=0xa000 
2016-01-10 14:59:57 Kernel.Warning  192.168.28.1    Jan 10 06:59:58 kernel: ACCEPT IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:ba:67:d7:f2:08:00 SRC=192.168.28.11 DST=192.168.28.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=23351 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x35400

Any ideas? Have I mis-configured something?

amiracle · ‎02-11-2016

Here's the dd-wrt source type which you can add to your local props.conf for now until I add it to the next release.

[dd-wrt]
pulldown_type = 1
EXTRACT-action = (?i) .*?: (?P\w+)(?= )
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as protocol
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EVAL-direction = if(match(OUT,"eth*"), "out", "in")
LOOKUP-action_lookup = action_lookup action OUTPUT action2
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host

Here is the blog post on how I made the sourcetype : http://amiracle19.blogspot.com/2016/02/adding-dd-wrt-sourcetype.html

whothisbeme · ‎02-12-2016

Awesome! I am now seeing accepted/blocked and inbound/outbound!

The below config posted in your [blog post][1] works:

[dd-wrt]
pulldown_type = 1
EXTRACT-action = (?i) .*?: (?P\w+)(?= )
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as protocol
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EVAL-direction = if(match(OUT,"eth*"), "out", "in")
LOOKUP-action_lookup = action_lookup action OUTPUT action2
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host

Also I did notice my public IP was not reported correctly on the Home Network Overview dashboard.

Thanks again!

amiracle · ‎02-12-2016

What IP address did show up for your dashboard? Was it a local IP (192.168.1.0/16)?

whothisbeme · ‎02-12-2016

Actually no it is not a local IP

I am seeing a 186.108.xxx.xxx IP

Thanks!

amiracle · ‎01-10-2016

The problem is that you have br0 as your interface, but the app is configured to look for eth* instead. Here's how you fix it:

Go to $SPLUNK_HOME/etc/apps/homemonitor/local/props.conf (If the file does not exist, simply create it.)

Next, copy and paste the following :

[openwrt]
EVAL-direction = if(match(OUT,"br*"), "out", "in")

What this is doing, is looking at the OUT extraction and seeing what interface it's going to, then based on that reporting it as OUT for true, or IN for false.

You can either reload or just restart Splunk (to reload, simply run *| extract reload=T) in a search.

That should now get you the direction for your traffic.

DanielFordWA · ‎01-12-2016

I have the same issue. The proposed solution results in only IN bound connections. I am happy to help with any testing to get dd-wrt fully supported.

amiracle · ‎01-13-2016

If you want outbound connections, you should look at the two fields, IN and OUT in your data. I would look at the SRC and see if it's a local IP; if it is, then whatever your "IN" field is, add that to the props.conf :

[dd-wrt]
EVAL-direction = if(match(IN,"br*", "in","out")

This reads, if the IN field = br0 (using the example data above) then the direction will be set to 'in', otherwise it will be set to 'out'. Just look at your data and validate the SRC and DEST ip's to make sure that they logically follow the newly created direction field.

Let me know if I can add any further assistance.

-Kam

whothisbeme · ‎01-21-2016

I too am having issues getting the outbound connections and accept/reject to show. I am using dd-wrt software on my router. Here is a sample output from the syslogd - Jan 22 07:12:23 DD-WRT kern.warn kernel: ACCEPT IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:0f:00 SRC=192.168.0.32 DST=192.168.0.255 LEN=291 TOS=0x00 PREC=0x00 TTL=128 ID=7669 PROTO=UDP SPT=54915 DPT=54915 LEN=271

I am not sure if *| extract reload=T reloads the prop.conf from local.

Also can I define who rules for inbound/outbound?

Example:

EVAL-direction = if(match(IN,"vlan*"), "in", "out")
EVAL-direction = if(match(OUT,"vlan*", "out","in")

I am quite confused if my changes to the prop.conf in the local folder are even having an effect...

Any help would be appreciated. Thank you

whothisbeme · ‎01-21-2016

After messing with it further it seems the prop.conf file is not effecting the settings.. Upon changing the EVAL-direction line in the props.conf in the default folder I am now seeing Inbound and outbound connections. I noticed there is only an openwrt and no ddwrt options. Will a dd-wrt option be added in the future?

Thanks again.

amiracle · ‎02-10-2016

I can add the dd-wrt to the source types, I'll just need a raw couple of events to make sure that it's properly parsed. Also, did I answer your question, or are you still not able to see the data coming into the Home monitor app?

Thanks,
Kam

whothisbeme · ‎02-10-2016

I gave up on using home monitor since I couldn't get the events parsed correctly. If you could add a dd-wrt source type that would be excellent. Just let me know what I need to provide.

Also I could get the events to show up in the Home monitor app but they weren't being parsed correctly.

Thanks

amiracle · ‎01-11-2016

To test that the new props worked, you can run a simple search :

index=homemonitor sourcetype=openwrt | stats count(dest_ip) by direction

This should show outbound traffic to remote IP's. You can replace dest_ip with src_ip to see the traffic going inbound.

Let me know if you have any further questions.

fareastenders · ‎01-11-2016

OK, so what does seem to have worked (based on reading and understanding your props.conf file - never dived into Splunk before) is setting the brand to "openwrt" rather than "dd-wrt" on the set-up page:

I now have some IN Bound events but I'm still uncertain as to whether this has solved the problem. What's the acid test?

fareastenders · ‎01-11-2016

Thank you for your help.

I've added and populated the file you said (it was in Program Files/Splunk/etc/apps/homemonitor/local as I'm in Win x64) then re-set-up Home Monitor to use dd-wrt as sourcetype, then restarted the Windows service as well as doing a search for *| extract reload=T but there are still no IN or OUT results.

I then edited Program Files/Splunk/etc/apps/homemonitor/default/props.conf to replace eth* with br* and re-performed the above. Still no IN or OUT results.

Sorry.

What else could I provide to make troubleshooting easier?

Home Monitor 4.3.0: Why do I see no IN Bound or OUT Bound events from DD-WRT?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!