Last year, I created an app template to detect whether your users went to a phishing web site where you would supply the app the sourcetype name of your proxy logs and the URL destination field where they went. You can still download this Phishing app template from Splunkbase. In the same manner, I have created an app template called SQL Injection Search that you can download from Splunkbase.

Install the app and provide either of the two form search dashboards the name of your sourcetype representing your web logs (e.g., access_combined) and the name of the field in the sourcetype that represents the URI query string (e.g., uri_query). One form search uses patterns to detect if possible…

Last week Splunk joined several other companies at U.S. NIST’s signing ceremony symbolizing our participation and partnership in the National Cybersecurity Center of Excellence (NCCoE).

There’s no doubt that there is a critical need to protect private-sector intellectual property and other valuable business data from a growing number of cyber threats. This partnership illustrates our commitment to the spirit of collaboration while providing real-world cybersecurity capabilities that address business needs.

The NCCoE has three key goals:

• Provide practical cybersecurity – Help people secure their data and digital infrastructure by equipping them with practical ways to implement cost-effective, repeatable and scalable cybersecurity solutions.
• Increase rate of adoption – Enable companies rapidly adopt commercially available cybersecurity technologies by reducing their total

…

One of the most common requests I get from new customers is that they want to centrally collect all their machine generated time series data and search for a keyword like error or RuntimeException. Obviously Splunk can do this. Then, the next set of questions concern things like give me the top hosts or applications producing this keyword, show me a baseline of last week vs this week for this keyword, show me a slope line on the trend for this or any keyword(s), find outliers that go beyond the average occurrences for the keyword and then try to predict what may happen in the future.

To answer these questions and then some, I’ve created an app template that you…

Submitted on behalf of Enoch Long

On March 14^th I presented an overview of Splunk to contestant finalists at the CyberPatriot V National Finals Competition at the Gaylord National Resort and Convention Center in National Harbor, Maryland to approximately 125 – 130 students. Created by the Air Force Association (AFA), the Cyber Patriot competition was created as a response to the critical need for cyber professionals in the workforce by enhancing high school students’ knowledge of careers in cyber security, technology, engineering, and math disciplines. Splunk was a Diamond level sponsor of the event. This meant that for the first time in the history of the competition a proprietary piece of software allowed as part of the competition and…

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: Splunk can tell you if you have the Darkleech, the return of Answers from the past, ruining you for all other vendors, short but wise (like Yoda), badgers.

Splunking your apache logs?

Team regex helps you protect against the Darkleech malware:

<^Brian^> http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/
<@Splunky> ^Brian^’s URL: “Exclusive: Ongoing malware attack targeting Apache hijacks 20,000 sites | Ars Technica”
<^Brian^> fyi
<^Brian^> \/[a-f0-9]{32}\/q.php <- for those of you splunking your apache logs..regex to pick up the hijack
<jtrucks> ^Brian^: awesome, thanks.
<jtrucks> ^Brian^: so like this? rex _raw=”\/[a-f0-9]{32}\/q.php”
<jtrucks> my brain will not engage today.
<^Brian^>…

SAMLv2 becoming the de facto standard for achieving the Single Sign On (SSO) across the disparate business systems. Splunkweb SSO solution relies on the proxy layer of the front end web container. Recently I have invested some time on how one can accomplish Splunkweb SSO by leveraging the identity contained in a SAMLv2 assertion. In this article I am going to give a run down of how to perform Splunkweb SSO by authenticating to a SAMLv2 compliant identity provider(IdP). I assume the reader is familiar with the federated identity terminologies, such a IdP,Service Provider(SP), Circle of Trust(CoT) etc.,

I am often asked, “can i store pcap headers in splunk ?”. My response is a somewhat useless, “that’s easy”. To which the inquirer says, “if its so easy, show me; right now”. Ok. Fair point

We’ll do all this from the command line but first a quick overview:

- Create a new index, pcaphead,
- Create a splunk listener, udp 5000.
- Run tcpdump to print the headers
- Use netcat to send the headers to Splunk
- Run a Splunk search.

This is what it looks like on the command line.

merza-mbp15:Downloads mmerza$ # add the index using the splunk password
/opt/splunk/bin/splunk add index pcaphead -auth admin:supersecret
#

…

This past week several very prominent American news organizations publicly admitted having their computer systems hacked into, and explicitly blamed the Chinese government:

“Chinese hackers suspected in attack on The Post’s computers” – The Washington Post

“A Cyberattack From China” – The New York Times

“Chinese Hackers Hit U.S. Media” – The Wall Street Journal

There are several aspects of these events that seem to herald a change in this now familiar story of computer breaches reportedly being conducted by the Chinese.  First is the public acknowledgement of the targeting of an apparent industry / sector – by that sector itself.  (Obviously, the oil and financial services sectors have been explicitly targeted previously, but companies within those sectors did not…

For years now, information security professionals have worried about the security of wireless connectivity to our organizational networks.  “Wireless” has typically been defined, informally at least, as Wi-Fi.  We have tended to discount security concerns about Bluetooth because of its supposedly short range – officially stated as approximately 1 to 100 meters, depending upon class of the device.  That is in spite of the known threat of so-called Bluesniping.  (See, for example, “Rifle’ Sniffs Out Vulnerability in Bluetooth Devices”.)

Because most WI-FI WAPs (wireless access points) have very limited processing and storage capabilities, authentication to WAPs is generally handled as a shared secret by the WAP itself, or through the external interface of a firewall connecting to an internal…

As we enter a new year, there is acronym that you need to be familiar with: STIX.  STIX is the  Structured Threat Information eXpression language; it is not a program, policy, system, or application.  It is XML for security.

The goal of STIX is to automate the sharing of cyber attack information.  And, while the language is new, the concept is not.  In fact, we’ve already been down this path at least twice before.  ‘First’ (though there may have been earlier efforts) we had IODEF, Incident Object Description Exchange Format (RFC 5070) in December 2007.  Then we had RID, Real-time Inter-network Defense (RFC #6046) in November 2010.

So, while there is clearly a need to automate this…