Stamus Networks App for Splunk® is an application designed for Suricata sensors users, including SELKS users, and Stamus Security Platform users.
You can use the regular Splunk App installation procedure to install Stamus Networks App for Splunk®. You may have to install the Timeline App and URL Toolbox to display some of the visualizations.
After installing the application, you can directly use it if you are a Suricata sensors user and don't have a Stamus Security Platform (SSP).
When setting up the Splunk log collection (via Splunk forwarder or Spluk itself), you have to set the
source type to suricata. A typical entry in inputs.conf will look like:
[monitor:/var/log/suricata/eve.json]
disabled = false
index = mycustomindex
sourcetype = suricata
Note: Stamus Security Platform users have to choose Suricata as source type.
If you are using a custom index to store events, you will need to define which index to use by creating
a local/macros.conf file in the directory of the application. For an index named mycustomindex, it
should look like:
[stamus_index]
definition = index=mycustomindex
iseval=0
Stamus Security Platform users need to setup the connectivity with their Stamus Central Server (SCS).
To do so, you need to create a file local/ssp.conf under the application directory (/opt/splunk/etc/apps/stamus_for_splunk usually)
and setup the following:
[config]
api_key = SCS_TOKEN
base_url = https://SCS_ADDRESS
check_tls = no
The SCS_TOKEN can be generated from Stamus Central Server by going to Account Settings via the user icon on the top right
and selecting Edit token. Only read access is necessary so a user with low privilege can be used.
If you have a multi tenant instance of Stamus Security Platform, you need to select a tenant by adding the tenant stanza
in the configuration (using the numeric tenant ID).
Dashboards and reports containing Suricata in their name are designed for Suricata sensors and do not require a Stamus Security Platform.
The others dashboards require connectivity or data coming from a SSP installation.
Stamus Security Platform features a module named Host Insights that builds identity cards of IP addresses seen in the network without storing all raw events. This provides a concise view of the major attributes that can be linked to an IP address.
An host identification entry includes:
- List of hostnames associated with the IP
- List of usernames that connected to this IP
- List of network services
- List of HTTP user agents
- List of TLS agents (using JA3 technology)
- List of SSH agents
- List of application protocol used as agents
- List of Roles (Domain Controllers, DHCP Servers, Printers, ...)
All this information is associated with a first-seen and last-seen timestamp, so it is possible to know precisely when a username or a HTTP user agent was first seen on a given IP address.
The App adds a snhostsearch command that queries Stamus Security Platform REST API to fetch Host Insights entries
matching a filter. The following are examples of filters that may be applied to the Host Insights module:
To retrieve ALL Host Insights entries, simply enter:
| snhostsearch
To select using a filter:
| snhostsearch filter="hostname.host=zopenret.top services.port=443"
To retrieve the top hostname (by count of IP) running a service on port 443 and not in network internet:
| snhostsearch filter="services.port=443 net_info.agg!=internet"| spath "hostname{}.host" | top "hostname{}.host"
To get software version of all HTTP server in a network (here internet):
| snhostsearch filter="services.values.app_proto=http net_info.agg=internet"| spath "services{}.values{}.http.server" | top "services{}.values{}.http.server"
To get all requests to nginx server where client IP is running a service on port 9997:
| source="nginx.log" sourcetype="access_combined" | snhostfilter filter="services.port=9997" keys="clientip" | top clientip
This command is used to search in the services found on the network by Host Insights. For example, to list all the services that are TLS and that are not running on port 443, one can do:
search = | snservicesearch filter="services.values.app_proto=tls services.port!=443"
This command is used to display all host insights events for a filter. For example to get information about discovery time of all metadata on one IP:
| snlinearsearch filter="ip=10.0.0.1" | table timestamp ip event_type type value
The snhostfilter commands allow you to select only events where src_ip or dest_ip is in the host ID set defined by the filter.
The following search returns all alerts for hosts running a service on port 443.
event_type="alert" | snhostfilter filter="services.port=443"
The snhostlookup lookup resolves ip to hostname (and reverse) using the hostname information collected by SSP.
The following search returns all alert events and resolve destination ip to hostname.
event_type="alert"| lookup snhostlookup ip as dest_ip| stats count by hostname
List all Stamus offenders and resolve IP to name using host ID data:
event_type="stamus"| lookup snhostlookup ip as stamus.source| top stamus.source, hostname
Display all Stamus Threats events and output a table where asset IP has been resolved to name:
event_type="stamus" | lookup snhostlookup ip as stamus.asset | stats min(timestamp) as start_seen, max(timestamp) as last_seen by stamus.threat_id, stamus.asset, stamus.asset_net_info, hostname
The snservicesearch command searches in the Host Insights database and returns the list of services for the hosts
that match the provided filters.
List all services for host that run HTTP services that are not bound to port 80:
| snservicesearch filter="services.values.app_proto=http services.port!=80" | spath | search service.app_proto="http" service.port!=80
Alert events are not containing the content of the signature that did trigger them and this can be a problem during analysis. This Splunk App includes a lookup in Stamus Security Platform (or Scirius CE) that adds the content of the signature to the event. Here is a query example:
event_type = "alert"
| lookup sn_signature_lookup sid as alert.signature_id
| spath input=sig_info
| table src_ip, dest_ip, signature.content, signature.imported_date
Note: the metadata keyword is substituted in the content with sig_params to workaround a problem in Splunk.
- Only allow https connection to SCS
- Drill down in TLS dashboard
- Fix alert event type
- Multi tenant support (Stamus users)
- Remove snhreatfilter command (Stamus users)
- Add snservicesearch command (Stamus users)
- New TLS dashboards including TLS cipher suite analysis
- Add snlinearsearch (Stamus users)
- Stamus IP timeline using Host Insigths and DoC (Stamus users)
- Alert tag filtering on Stamus IDS dashboard (Stamus users)
- Stamus Policy Violations dashboard (Stamus users)
- Fix export of application variables
- Better filtering on data for Splunk with multiple data sources
- New SSP and Scirius CE lookup to see signature content in Splunk
- Fix form declaration
- Fix export of macros that was missing
- Update following renaming of Stamus Networks product
- Add file information dashboard
- Add anomaly dashboards
- Add drilldown to dashboards
- Minor fixes
- Splunk 7.x compatibility
- Better navigation
- Update colors
- Fix admin dashboard for multiple probes
- CIM 4.x compatibility
- keys option added to snhostfilter for easy cross source filtering
- rename all commands with a sn prefix for better completion
- performance optimizations of dashboards
- Improve IDS dashboards
- Fix timestamp picker in Suricata admin Dashboard
Fix errors and warnings found by Splunk AppInspect
Initial release.
Features:
- dashboards for Suricata and Stamus Security Platform from Stamus Networks
- snhostsearch: search host identification entries in Stamus Security Platform
- snhostfilter: filter query on host matching a request done in host identification entries
- snthreatfilter: resolves Stamus threat id to Stamus threat name
- snhostlookup: do ip to hostname resolution and reverse using host identification data