Security

Splunk and Port Mirroring

bin00010111
New Member

I have 2 options to get my data indexed.

I am using a Mikrotik router. I can do packet sniffer/streaming options to wireshark. (I don't care for this idea)

OR

If i do port mirroring to splunk, what port does it come in on? Is there any way to capture this with splunk? Without being so specific? If I say tcp port 80, then only that gets caught, but I want all of it to get caught by splunk.

Tags (2)
0 Karma
1 Solution

Ayn
Legend

It sounds to le like you're mixing up concepts a bit. Splunk is not a network packet monitor. Neither is Squid. You might want to look at urlsnarf from the dsniff tools, or or justsniffer and then if you want you can configure Splunk to read the output.

EDIT: Note that you obviously won't be able to read whatever HTTPS traffic your users are generating. If you want to do that, you'll need to setup a proxy they go through and essentially perform a man-in-the-middle attack with on-the-fly generated certificates.

View solution in original post

bin00010111
New Member

OH NO!! No https stuff. Just trying to get insight as to what people are doing with their time so we can take action accordingly on the network.

I appreciate your help!!

0 Karma

Ayn
Legend

It sounds to le like you're mixing up concepts a bit. Splunk is not a network packet monitor. Neither is Squid. You might want to look at urlsnarf from the dsniff tools, or or justsniffer and then if you want you can configure Splunk to read the output.

EDIT: Note that you obviously won't be able to read whatever HTTPS traffic your users are generating. If you want to do that, you'll need to setup a proxy they go through and essentially perform a man-in-the-middle attack with on-the-fly generated certificates.

bin00010111
New Member

Okay, I have been trying to easily index and report on the websites vistied by users on my network.

I have tried untangle, which is AWESOME, BUT, doesnt play well with my network since I have mulitple subnets. Or my voip phones (because of the subnet issue)

I have thought about squid, but it's a caching/proxy. Do not want to redirect everything. Or have a server inline (Untangle)

I would just really like to port mirror evertything to an ip and the machine at that ip grab the data and report on it.

Tried wireshark, but it doesnt report that way I want. Untangle has the best reporting, just sucks it wont work well with my net and wants to be inline, i.e; Router-->Untangle-->Switch

Any ideas? Thanks for the help.

0 Karma

Drainy
Champion

I'm assuming you're looking to directly index packet data? You're probably best dedicating an interface as the the input and connect it to the mirrored / span port and then run something like tcpdump on the interface to collect the data and run it as a scripted input into Splunk.
Thats how I have done this in the past when doing some security research.

If that is what you are after then you need to also consider your license usage as this will destroy it, you may want to do some more filtering at a scripted/programmatic level before reading anything into Splunk

bin00010111
New Member

I agree, I do not want specific ports. I want to capture ALL that data. But because a port mirror just send data as-it-is to the ip, splunk cant sperate it from any other data I havee coming from another source. Maybe that should be in next release. Option to recieve a port mirror somehow.

Like having a 2nd nic in splunk server and all data on that nic if from the port mirror.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Splunk can monitor specific ports, but not an entire interface. It isn't meant to watch an entire interface like an IDS or a Firewall would do. What is the use case you're trying to address?

jbsplunk
Splunk Employee
Splunk Employee

Start here:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Splunk can monitor specific ports for traffic, though that isn't always the ideal approach.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...