Block SSLv2 in SPLUNK

By default, SPLUNK allows SSL v2 for backwards compatibility. For security purposes, it is good practice to disable SSLv2. Other security requirements or standards may also require it be disabled. Among these are PCI and DISA STIG Compliance.

Assuming you have already enabled SSL on SPLUNK, you would edit the $SPLUNK_HOME/etc/system/local/web.conf and add the following line in the SSL settings portion.

supportSSLV3Only = True

This may cause problems with older browsers, but if they are that old they shouldn’t be allowed to connect anyway.

How to fix 'PropertyPagesException' what(): Cannot get user to act as: No user info provider registered

Yesterday we were given a task of changing the SSL levels for the web interface in SPLUNK. After doing so, we restarted SPLUNK. After attempting to log back in, we were greeted with the following crash report.

2012-02-15 18:05:14.916 +0000 splunkd started (build 115073) terminate called after throwing an instance of 'PropertyPagesException' what(): Cannot get user to act as: No user info provider registered (user: XXXXXXX, app: user-prefs, root:/opt/splunk/etc)

DNS Lookup on Fields in Splunk

You have your search, but it comes up with a bunch of IPs in the results. What are the host names? How do I translate this into usable data?
Lookups:
<Search> | lookup dnslookup clientip as <IP Field> OUTPUT clienthost as <Resolved Hostname>

So this could be:
<Search> | lookup dnslookup clientip as src_ip OUTPUT clienthost as My_Source_Host

Logging Spikes Alert for Splunk

We recently broke our license limits in Splunk. After going back to find out why, we found that we were being attacked and the firewalls were going crazy spitting out logs. We also found that we were able to find misconfigured devices based on log spikes. We typically log at let’s say 500kbps with a maximum of 700 kbps throughout the day. Taking this I can create a search to find the current rate of indexing. I then take that search and create an alert that will let me know if we spike over 800 kbps so I can go back and find out why we are logging so much.

How to find Brute Force \ Dictionary attacks on the network using Splunk

A simple search can easily alert you to the possibility of a brute force or dictionary attack on the network’s resources. Start by modeling your search. The idea here is to collect fields and terms by which to identify Authentication Failures.

Export to CSV in Splunk

Typically users can easily click on the export button and export data to .csv. For larger data sets, specifically anything with more than 10,000 lines, Splunk hides the export button and will not allow users to export the search results. This is a built-in safety feature that protects Splunk's performance and is designed to prevent a crash.

SPLUNK Top Hits by Country Report

Getting a lot of foreign computers knocking on your door causing network latency? This search will show the top countries of origin. This can be useful in determining firewall rules, to know your enemy, and just for fun information. To setup SPLUNK to run this search you will need to install the geoip package. amMap or Google Maps are great plugins if you want a more graphical representation.

Guardian Media Services

Guarding your IT Experience...

Splunk