Splunk at the Wall for DEF CON 23

Every year since 1992, security geeks and nefarious hacker types have descended upon Las Vegas for DEF CON, a hacking conference that started with hackers and crackers phreaking AT&T payphones. Twenty-three years later, this pilgrimage has changed, it’s much bigger now and sadly plain old telephone systems (POTS) have taken somewhat of a back seat. Despite the fact that the rumors of cancellation flew around again this year (as it does every year) DEF CON 23 did indeed take place and Splunk was there. In this blog post and the next, I’ll describe what we (Splunk and the Security Practice) did at DEF CON, how we did it, and what is coming next!

Let me begin by describing a bit about what the Wall of Sheep is. The Wall of Sheep has been a fixture of DEF CON for years and the group’s goal is an altruistic one; to educate the attendees on the dangers of using unencrypted and insecure networks and network protocols. They do this by capturing network data traversing the DEF CON unencrypted wireless network (also referred to as the “hostile network”), which is setup to provide Internet access during the conference. To be fair an encrypted wireless network does exist, so the conference attendees do have a somewhat safer option (albeit no guarantee of safety). Anyway, from the captured data, the Wall of Sheep crew pulls user names, passwords, and protocols such as HTTP, FTP and POP3 from unencrypted protocols. It then displays this information (the passwords are partially obscured) on a wall, in what has become known as The Packet Village.


Enter Splunk

This year was Splunk’s third year sponsoring the Wall of Sheep and a great time was had by all (except maybe for those who were careless with their electronic devices). I personally enjoyed and appreciated the educational aspect of Wall of Sheep and am proud to be part of an organization that supports it. One of the side benefits of sponsoring the WoS is that we have access to a span port on the “hostile network”. We use this span port to see what’s going across the network and of course use the nuggets of personally identifiable information (PII) we find to show in more detail, exactly what the users of the network are sending over the wire (and air).

groupedFigure 1 – Example of a dashboard we used during Wall of Sheep



Tools Utilized

Of course, our primary software tool for collecting, searching, and analyzing the data was Splunk Enterprise. All other software is either offered free by Splunk or is open-source.

Splunk Stream

Beyond Splunk Enterprise, the most valuable component of our capture and analyze session was a free Splunk product called Stream. Stream captures and parses network data directly from the wire, as well as from existing pcap files, captured previously with other tools, such as tcpdump. Stream is exceptionally easy to configure and use, outputting the data that it captures into Splunk in json format. The fields that it extracts align with the Splunk Common Information Model format (CIM), so it integrates well with other Splunk apps that utilize the CIM data models, such as Splunk Enterprise Security. In the case of Wall of Sheep we merely pointed Stream to an ethernet port that was connected to a span port.


Bro is an open-source network security monitor that also listens on the wire for data. It performs analysis on a number of interesting protocols and by default, outputs data to ASCII text files that we can easily pull into Splunk and normalize with search-time field extractions, with the supported Splunk Technology add-on (TA) for Bro.


The last of the major apps that we used for monitoring the network is the venerable Snort IDS. Snort gave us some quick analysis and pattern matching, which we brought into Splunk and parsed, using the Splunk Add-On for Cisco FireSIGHT. However, it should be noted we did do some custom modifications of the TA to work with our dashboards.

Other supporting Add-Ons

URL Toolbox

The URL toolbox is one of my favorite add-ons and is invaluable when working with URLs. It allows a Splunk user to parse HTTP requests and DNS queries and perform meaningful analytics on that data.


So that’s a brief overview of our role at the Wall of Sheep during DEF CON 23. The next installment on this topic will go over the app our team created, what you’re able to do with it, and where you can find it. I think this app will be an eye opener for people who don’t know what is going across networks and we hope to use it at many events to come. Talk to you soon.

Steve Brant
Posted by Steve Brant

Join the Discussion