Good morning, everyone,
As the title says, I would like to know which Linux hosts have access to my network, not the servers but the hosts.
Thank you. Thank you.
Hi,
let's assume you'd like to know all machines that run linux within your network. First, you have to find any active clients and you could use two approaches: Active scans or passive listening in on the traffic. For active scanning, nmap is a good starting point. https://en.wikipedia.org/wiki/Nmap
It will deliver some findings and can be configured to give you a probability for the OS that a client runs, based on open ports and probes that the tool uses to discover the version of OS. Whatever nmap delivers, you could index into splunk and do further analysis.
For passive scanning, you could always use the stream app https://splunkbase.splunk.com/app/1809/ have it listen to your network and you could do some forensics on the data. For example, you could look for ARP packages, disclosing the MAC to IP translations. If you wait long enough, a rogue linux system will likely contact a ntp time source outside of your own ntp setup. Luckily, linux clients don't use any microsoft.com domains for time resolution, but rather something like ntp.ubuntu.com. Unless you distribute NTP through dhcp... but hey, there are other ways... like testing port 22 as linux usually has ssh running or 5900 for vnc.
hih
Oliver
Are you asking if Splunk can detect when someone walks into your workplace with a PC running linux, and connects to your network?
Hi @numeroinconnu123,
your request is rather generic, could you share some additional information?
Are you talking about servers that have the Universal Forwarder installed?
are you talking about network traffic or access to a certain system?
Are these servers already sending their logs to Splunk or not?
Ciao.
Giuseppe
Hi @gcusello ,
The servers send their logs to splunk.
I would like to know if there are linux PCs that connect to the network? by what splunk search can I find out?
Thanks
Hi @numeroinconnu123,
if you already receiving logs from those servers, you have to run a simple search
index=_internal
| stats count BY host
in this way you have all the servers that are sending logs to Splunk.
To have the Linux servers you have two ways:
if in the hostname there's something to recognize them (e.g. hostname is something like srvx-0001) you can add a filter to your search
index=_internal host=srvx*
| stats count BY host
if you cannot recognize them from the naming convention, you should have a list of all your servers in a lookup and use it to filter your search: e.g. if you have a lookup called perimeter.csv where there are two fields: host and type, you could run something like this:
index=_internal [ | inputlookup perimeter.csv where type=unix | fields host ]
| stats count BY host
Ciao.
Giuseppe
Hello @gcusello
thank you for your answer.
The problem is not the linux servers.
I would like to know if there are linux OS connecting to my network not the linux servers.
Hi @numeroinconnu123,
the questions are the same:
Anyway, if you have a list of your known systems, you could exclude the known ones and list the remaining:
index=_internal NOT [ | inputlookup perimeter.csv | fields host ]
| stats count BY host
Ciao.
Giuseppe