Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About BastianW
BastianW
Path Finder
Member since:
05-13-2011
06-05-2020
Community Statistics
| Posts | 21 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 5 |
| Member Since | 05-13-2011 |
Activity Feed
- Karma How to generate a server.pem key size of 2048? for rkilen. 06-05-2020 12:48 AM
- Karma Re: How to generate a server.pem key size of 2048? for jwiedow. 06-05-2020 12:48 AM
- Karma Splunk shows vulnerable to CVE-2012-4929 in my Nessus vulnerability scan, what is going on? for ahattrell_splun. 06-05-2020 12:46 AM
- Karma splunkd port 8089 CRIME vulnerability (CVE-2012-4929) for ww9rivers. 06-05-2020 12:46 AM
- Karma Re: The remote Windows host has at least one service installed that uses an unquoted service path. for jbsplunk. 06-05-2020 12:46 AM
- Got Karma for The remote Windows host has at least one service installed that uses an unquoted service path.. 06-05-2020 12:46 AM
- Got Karma for The remote Windows host has at least one service installed that uses an unquoted service path.. 06-05-2020 12:46 AM
- Got Karma for The remote Windows host has at least one service installed that uses an unquoted service path.. 06-05-2020 12:46 AM
- Got Karma for The remote Windows host has at least one service installed that uses an unquoted service path.. 06-05-2020 12:46 AM
- Got Karma for SplunkForwarder & TLS CRIME Vulnerabiliy. 06-05-2020 12:46 AM
- Posted Re: How to generate a server.pem key size of 2048? on Security. 04-18-2017 02:38 AM
- Posted Re: replace self signed certificates on Splunk forwarder on Getting Data In. 12-21-2014 04:21 PM
- Posted replace self signed certificates on Splunk forwarder on Getting Data In. 05-05-2014 04:57 AM
- Tagged replace self signed certificates on Splunk forwarder on Getting Data In. 05-05-2014 04:57 AM
- Tagged replace self signed certificates on Splunk forwarder on Getting Data In. 05-05-2014 04:57 AM
- Tagged replace self signed certificates on Splunk forwarder on Getting Data In. 05-05-2014 04:57 AM
- Tagged replace self signed certificates on Splunk forwarder on Getting Data In. 05-05-2014 04:57 AM
- Posted Re: SplunkForwarder & TLS CRIME Vulnerabiliy on Deployment Architecture. 06-11-2013 11:58 AM
- Posted Re: Allow only a specified SSL cipher in the splunk forwarder? on Getting Data In. 06-11-2013 10:10 AM
- Posted Re: Is there a way to disable SSL v2 for the forwarder mgmt port? on Security. 06-11-2013 06:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 4 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-18-2017
02:38 AM
Thanks. I followed the steps above, then stopped the Splunk forwarder service and renamed server.pem to server.pem.OLD in the folder C:\Program Files\SplunkUniversalForwarder\etc\auth and started again the service which created a new server.pem. The new one is now 4KB in size and no longer 3 KB.
... View more
12-21-2014
04:21 PM
Since such a long time still no answer. So is the Splunk provided way really the one to change the certificate by hand on all affected systems? I really would prefer if this could be done via the Splunk deployment server on a automated way. This would a really big time saver as the default certificate could be replaced on all connected systems without administrator help.
... View more
05-05-2014
04:57 AM
What is the process to create SSL NON self signed certificates on the splunk forwarders?
Currently when a splunk forwarder is installed on a Windows OS it will create a self signed certificate. However we do wish that a certificate from our own Microsoft CA is used.
The best way (if possible) would be if the splunk forwarder or the splunk deployment server could connect to our Microsoft CA and request these certificates. Or must we replace all these certificates constantly on all our windows hosts (we do have more then a handfull!!).
... View more
06-11-2013
11:58 AM
Some months passed now and the issue is still open (also with version 5.0.3) did somebody found a configuration that solve the issue?
... View more
06-11-2013
10:10 AM
Hello krugger,
I tried that, but its not working. We already use 5.0.3 as the forwarder but the issue mentioned in my first posting here stay the same (we already restarted the service after changing the settings).
Which file should we change? The default inputs.conf do not have a supportSSLV3Only value in place and the server.conf required to set the values in the
[sslConfig] section rather then [SSL].
... View more
06-11-2013
06:26 AM
Just an update here ... we changed that on the forwarder side and haven´t seen any issue so far.
... View more
06-11-2013
05:42 AM
Hello, our Nessus scanner show a issue with the 56 bit SSL ciphers which are allowed by the splunk forwarder:
Synopsis: The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor: Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Output
Here is the list of medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES(56) Mac=SHA1
TLSv1
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Plugin Publication Date: 2009/11/23
Plugin Last Modification Date: 2012/04/02
It looks like we can change the inputs.conf:
[SSL]
# default cipher suites that splunk allows. Change this if you wish to increase the security
# of SSL connections, or to lower it if you having trouble connecting to splunk.
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
with some values from OpenSSL as mentioned here: http://www.openssl.org/docs/apps/ciphers.html but I´m unsure about the vaules Splunk would allow here.
... View more
01-23-2013
01:36 AM
Great thanks for the information.
... View more
12-14-2012
01:07 AM
Thanks for the link, but from my side it refers more to the Splunk Server rather then the splunk forwarder client.
... View more
12-13-2012
11:41 PM
1 Karma
Hello,
since October 2012 our Nessus environment list a "TLS Crime Vulnerability" on all our Windows Server who have the (currently 5.0.1) Splunk Forwarder installed. Can that be solved via config (e.g. disable disable compression and / or the SPDY service)? If yes how?
Synopsis: The remote service has a configuration that may make it vulnerable to the CRIME attack.
Description
The remote service has one of two configurations that are known to be required for the CRIME attack:
- SSL / TLS compression is enabled.
- TLS advertises the SPDY protocol earlier than version 4.
Note that Nessus did not attempt to launch the CRIME attack against the remote service.
Solution
Disable compression and / or the SPDY service.
See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.nessus.org/u?a1e45597
Risk Factor: Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#E:F/RL:OF/RC:C)
Plugin Output
The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :
- SSL / TLS compression is enabled.
CVE
CVE-2012-4929
CVE-2012-4930
BID
55704
55707
Cross-References
OSVDB:85926
OSVDB:85927
Vulnerability Publication Date: 2012/09/15
Plugin Publication Date: 2012/10/16
Plugin Last Modification Date: 2012/10/22
Public Exploit Available: True
... View more
12-13-2012
11:27 PM
Just updated to Splunk Forwarder 5.0.1 and I still have the same issue.
... View more
12-13-2012
11:23 PM
4 Karma
Hello,
I would like to report a vulnerability found with the latest Nessus Forwarder (5.0.1) installed on all our Windows Servers. We can solve that via registry change, but it would be nice if that will be fixed in a newer Nessus forwarder version.
To fix that by hand search for 'C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe' in the registry. Once you found the service for it (it has a description key on top of this key). You need to add " in front and after it. Example "C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"
There is no reboot or restart required!
Synopsis: The remote Windows host has at least one service installed that uses an unquoted service path.
Description: The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.
Solution: Ensure that any services that contain a space in the path enclose the path in quotes.
See Also
:
http://isc.sans.edu/diary.html?storyid=14464
http://cwe.mitre.org/data/definitions/428.html
http://www.commonexploits.com/?p=658
Risk Factor: High
CVSS Base Score
7.2 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.5 (CVSS2#E:F/RL:W/RC:C)
Plugin Output
Nessus found the following service with an untrusted path:
SplunkForwarder : C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
... View more
09-11-2012
10:18 AM
Hello,
I´m currently try to Install "Splunk App for Microsoft Exchange". But where must I copy the "TA-Exchange-2010-xxxx" folders on my local exchange server?
The "What data the Splunk App for Microsoft Exchange collects" said:
If you are not using a deployment
server, you can locate the TA in
%SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\appserver\addons<TA-Name>
on the universal forwarder.
On the other side the "How to deploy the Splunk App for Microsoft Exchange" refers to:
the TA(s) must be manually copied to
%SPLUNK_HOME%\etc\apps on the Exchange
server(s)
So the question is now
1.)
need I extract the complete "Splunk App for Microsoft Exchange" ZIP file in the %SPLUNK_HOME%\etc\apps folder on my exchange server
or
2.)
need I extract only the "TA-Exchange-2010-xxxx" folders from the ZIP file to %SPLUNK_HOME%\etc\apps on my exchange server
or
3.)
Must I do something completely different?
Note:
We didn´t use a Splunk Deployment Server at the moment. So the changes must be done manually.
... View more
07-25-2012
09:01 AM
I would like to install splunk unattended and during the installation I would like to push out such settings.
... View more
07-25-2012
09:00 AM
not possible to do that "by hand"?
... View more
07-25-2012
04:46 AM
I have installed splunkforwarder-4.3.3-128297-x64-release.msi and this didn´t fix the issue (I also use "supportSSLV3Only = true" in my config).
In the Splunk Product Security Policy I couldn´t also not found anything which is related to the issue above. The issue you refer to seamed to be a "old" SSL issue which didn´t apply here.
... View more
07-25-2012
04:39 AM
Hello,
how can I set the "supportSSLV3Only = true" (= false is the default) via CLI in the server.conf? This must be done one a lot of servers and it is very time consuming to do that on every one by hand.
... View more
07-24-2012
08:34 PM
Our Nessus scan is currently mention the following issues for a service running on port 8089 (which is the splunk forwarder). The complete issue is:
*Synopsis:
The remote service allows repeated renegotiation of TLS / SSL connections.
Description
:
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition.
Solution
:
Contact the vendor for specific patch information.*
How can we solve that?
... View more
07-24-2012
08:23 PM
thanks for sharing, we had the same issue here (The splunk forwarder installed on our server was listening to 8089). Did you saw some "side effects" once you changed that?
... View more
08-04-2011
09:22 AM
When in August could we expect the Exchange 2010 support? It would be a great feature for us if we could use Splunk for that.
... View more
05-13-2011
10:42 PM
I´m running Splunk 4.x here and would like to import out flat file MS Exchange eMail tracking files into splunk. BUT it seamed there is no plugin available. Only a old one for splunk 3.x and exchange 2003 can be found.
Has anybody managed to import the eMail tracking files into splunk?
... View more
- Tags:
- exchange
