Hi,
I'm trying tos earch a way to identify firewall flows on a whole Information System.
As I want to use Splunk Power..I'm trying to know if this scenario is possible and how (with which apps) :
Scenario:
- Deploy Splunk agents on firewall log collectors or servers, and routers (accept[andreject ?])
- Gather & Index Data with splunk
- Draw from Network IP level (logical IP view) the flaws coming from a subnet to another..
Is it possible ? Crazy ?
Thanks in advance for your suggestions.
NB: Benefit will be to index bandwdth flow and calculate throughput too.. later.. But at the moment i need to know WHAT is going though my Information System 🙂
I'm trying to find clues to HOW to do that 🙂
I read an interesting paper on another methond with afterflow,
approache is similar but less powerfull :
http://www.giac.org/paper/gcia/1651/visualizing-firewall-log-data-detect-security/109883
I plan to watch a webcast tonight on that subject :
http://searchsecurity.techtarget.com/video/Splunk-tutorial-demonstrates-how-to-use-Splunk-for-securi...
I found several visualization solutions with a post:
tnv - The Network Visualizer or Time-based Network Visualizer
http://tnv.sourceforge.net/
INAV - Interactive Network Active-traffic Visualization
http://inav.scaparra.com/about/abstract/
Will look deeper in them.
Don't hesitate to give your answer on this resarch 🙂
My position is to :
1) Index flat files into splunk (firewall logs, routers logs..etc)
2) Then maybe integrate some other dat into splunk and visualize data FROM it.. the question is HOW.
flat files ---> splunk --> graph with what app ?
inav/
..etc