Dashboards & Visualizations

Index, gather, and graph Firewall flows

bartabass
Engager

Hi,

I'm trying tos earch a way to identify firewall flows on a whole Information System.
As I want to use Splunk Power..I'm trying to know if this scenario is possible and how (with which apps) :
Scenario:
- Deploy Splunk agents on firewall log collectors or servers, and routers (accept[andreject ?])
- Gather & Index Data with splunk
- Draw from Network IP level (logical IP view) the flaws coming from a subnet to another..

Is it possible ? Crazy ?

Thanks in advance for your suggestions.

NB: Benefit will be to index bandwdth flow and calculate throughput too.. later.. But at the moment i need to know WHAT is going though my Information System 🙂

bartabass
Engager

I'm trying to find clues to HOW to do that 🙂

I read an interesting paper on another methond with afterflow,
approache is similar but less powerfull :
http://www.giac.org/paper/gcia/1651/visualizing-firewall-log-data-detect-security/109883

I plan to watch a webcast tonight on that subject :
http://searchsecurity.techtarget.com/video/Splunk-tutorial-demonstrates-how-to-use-Splunk-for-securi...

I found several visualization solutions with a post:

tnv - The Network Visualizer or Time-based Network Visualizer
http://tnv.sourceforge.net/

INAV - Interactive Network Active-traffic Visualization
http://inav.scaparra.com/about/abstract/

Will look deeper in them.

Don't hesitate to give your answer on this resarch 🙂
My position is to :
1) Index flat files into splunk (firewall logs, routers logs..etc)
2) Then maybe integrate some other dat into splunk and visualize data FROM it.. the question is HOW.

flat files ---> splunk --> graph with what app ?
inav/

..etc

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...