Parsing ISO8583 BASE24 message

harmanbhogal · ‎09-28-2013

Hello,
Today itself I have started reading about splunk and my question for day 1 to the pros is, is it possible to parse an ISO8583 stream (from ATM switch using BASE24) and look up for the transactions for the same card in history (I presume history transactions are stored with splunk) and may be calculate the total withdrawal amount.

Parsing ISO8583 requires looking up for bitmap and identifying available data elements to be stored and searched for processing/analysis at a later stage.

Thanks in advance.

haley_swarnapat · ‎09-25-2019

Damien is right. I've done similar implementation, but the Switching is in AS/400 instead of BAS24, however the solution would be the same. These are the steps I did:
1. Tap the network, using TAP or SPAN of your choice, since Switching won't allow us to install any agent in their server.
2. Do the PCAP, parsing, and masking IN MEMORY. Since it is audited as CDE in PCI-DSS compliance.
3. Send the parsed and masked data to Splunk Forwarder. done!

Step number 2 is important, since some fields in BASE24 contains Sensitive Authentication Data such as Encrypted PIN and Full Track 2 Data, it will break the compliant if we store the PCAP in indexer.

However, with proper treatment, I can even exclude the Indexer and Search Head from CDE in PCI-DSS compliance. Only the Forwarder and TAP are audited as CDE.

Damien_Dallimor · ‎09-28-2013

GK is correct. Just to add , in a past life I wrote payments software , including iso8583 binary protocol encoders/decoders , so this question caught my attention.

My approach would be to write a Splunk Modular Input (in Python) , to listen on a UDP or TCP port (depending on how you are "streaming" the data in). The Modular Input would receive this binary stream , decode it into a textual format and output it to Splunk.You may even apply some preprocessing of the iso8583 packet so as to output only specific data or perhaps mask sensitive payments data.

The good news is that other people have already done most of the hard work and created libraries to perform the protocol decoding for you.

Check out this for example : http://code.google.com/p/iso8583py/

harmanbhogal · ‎09-30-2013

The problem got solved by installing python 2.7. earlier I was using python 3.3. thanks.

pinakicybermak · ‎10-10-2017

Hi harman,
is this requirement solved? can you give me a handle of what you did?

gkanapathy · ‎09-29-2013

you need to use python 2.x, not python 3.x. Splunk ships with an embedded python 2.x.

harmanbhogal · ‎09-29-2013

Thanks Damien and GK. I have installed python 3.3.2. I am able to execute the tutorials of python however, while executing echoClient.py (MTI800 echo test), i am getting invalid syntax at below code line for "," comma right after "error".

except socket.error, msg:

Invalid syntax is on other downloaded examples as well.
I had issue related to indentation, which was resolved but, this is troubling me and I am not able to move forward. May be it is very simple but I am totally naive in this regard and need your assistance here.

echoClient.py is in the url shared by Damien.

gkanapathy · ‎09-28-2013

No. Splunk indexes and parses text data. You would need to preprocess the data into something textual (more-or-less human-readable) for Splunk to handle it.

Parsing ISO8583 BASE24 message

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!