Security

IT Block signing reports tampered data

efo
Engager

Hi,
I have just enabled Data Block Signing on two of my indexes, but when I now try to verify them with "view" source the data shows up as "Detected possible tampering with this source.".

When enabling the data block signing I renamed the old indexes, added the renamed indexes to indexes.conf, and added blockSignSize = 100 to the (now empty) indexes.

Like this:

bin/splunk stop
mv 90d 90d-old
*edit indexes.conf adding blockSignSize=100 to 90d*
bin/splunk start

Thank you in advance

Espen

0 Karma

miapet
Engager

Thank you for the info dwaddle and herterich. When searching on SPL-38082 I can now see that this has been an issue since version 4.2.

/Mia

0 Karma

dwaddle
SplunkTrust
SplunkTrust

First of all, IT Data Block signing does not work with distributed search. If you have Splunk configured with a search head, or you are running a Splunk cluster, then you are using distributed search. http://docs.splunk.com/Documentation/Splunk/latest/Security/ITDataSigning

Also, the 6.0.1 release notes highlight a bug in BlockSignature that you may be running into as well:

BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)

If your problems with data block signing are not due to distributed search, and are not the cause of the aformentioned bug, I would recommend a support case to help more fully diagnose the problem.

herterich
Explorer

I opened a case to solve the problem, because we are still using version 5. According to the support and the product management IT data signing as it is today will be depreciated.

miapet
Engager

Hi,

Did any of you solve this? We are having the exact same problem when trying IT data block signing in our test environment.

This is what we did:

Stoped splunk.

Moved all old events in main-index to a new index.

Activated blockSignSize=100 to [main] in indexes.conf.

Started Splunk.

Everything work as it should except that Show Source says "Detected possible tampering with this source" on all events we check. We are running Splunk 5.0.6

Have also tried re-index the main index by running splunk clean eventdata -index main on the indexer and splunk clean all on the forwarder but that did not help.

Mia

0 Karma

herterich
Explorer

Hi Espen,

did you find a solution for your problem. Still have the same issue but could not find any ideas what the problem could be.

Regards
Christian

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...