host (PC) linux on my Network

numeroinconnu12 · ‎12-13-2019

Good morning, everyone,

As the title says, I would like to know which Linux hosts have access to my network, not the servers but the hosts.

Thank you. Thank you.

ololdach · ‎12-13-2019

Hi,

let's assume you'd like to know all machines that run linux within your network. First, you have to find any active clients and you could use two approaches: Active scans or passive listening in on the traffic. For active scanning, nmap is a good starting point. https://en.wikipedia.org/wiki/Nmap

It will deliver some findings and can be configured to give you a probability for the OS that a client runs, based on open ports and probes that the tool uses to discover the version of OS. Whatever nmap delivers, you could index into splunk and do further analysis.

For passive scanning, you could always use the stream app https://splunkbase.splunk.com/app/1809/ have it listen to your network and you could do some forensics on the data. For example, you could look for ARP packages, disclosing the MAC to IP translations. If you wait long enough, a rogue linux system will likely contact a ntp time source outside of your own ntp setup. Luckily, linux clients don't use any microsoft.com domains for time resolution, but rather something like ntp.ubuntu.com. Unless you distribute NTP through dhcp... but hey, there are other ways... like testing port 22 as linux usually has ssh running or 5900 for vnc.

hih
Oliver

jpolvino · ‎12-13-2019

Are you asking if Splunk can detect when someone walks into your workplace with a PC running linux, and connects to your network?

gcusello · ‎12-13-2019

Hi @numeroinconnu123,
your request is rather generic, could you share some additional information?
Are you talking about servers that have the Universal Forwarder installed?
are you talking about network traffic or access to a certain system?
Are these servers already sending their logs to Splunk or not?

Ciao.
Giuseppe

numeroinconnu12 · ‎12-13-2019

Hi @gcusello ,
The servers send their logs to splunk.
I would like to know if there are linux PCs that connect to the network? by what splunk search can I find out?
Thanks

gcusello · ‎12-13-2019

Hi @numeroinconnu123,
if you already receiving logs from those servers, you have to run a simple search

index=_internal
| stats count BY host

in this way you have all the servers that are sending logs to Splunk.
To have the Linux servers you have two ways:
if in the hostname there's something to recognize them (e.g. hostname is something like srvx-0001) you can add a filter to your search

index=_internal host=srvx*
| stats count BY host

if you cannot recognize them from the naming convention, you should have a list of all your servers in a lookup and use it to filter your search: e.g. if you have a lookup called perimeter.csv where there are two fields: host and type, you could run something like this:

index=_internal [ | inputlookup perimeter.csv where type=unix | fields host ]
| stats count BY host

Ciao.
Giuseppe

numeroinconnu12 · ‎12-13-2019

Hello @gcusello

thank you for your answer.

The problem is not the linux servers.

I would like to know if there are linux OS connecting to my network not the linux servers.

gcusello · ‎12-13-2019

Hi @numeroinconnu123,
the questions are the same:

Are you talking about systems that have the Universal Forwarder installed?
Are these servers already sending their logs to Splunk or not?

Anyway, if you have a list of your known systems, you could exclude the known ones and list the remaining:

 index=_internal NOT [ | inputlookup perimeter.csv | fields host ]
 | stats count BY host

Ciao.
Giuseppe

host (PC) linux on my Network

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life