SPLUNK LIFE

Indexing PCAP header data in Splunk

I am often asked, “can i store pcap headers in splunk ?”. My response is a somewhat useless, “that’s easy”. To which the inquirer says, “if its so easy, show me; right now”. Ok. Fair point :)

We’ll do all this from the command line but first a quick overview:

– Create a new index, pcaphead,
– Create a splunk listener, udp 5000.
– Run tcpdump to print the headers
– Use netcat to send the headers to Splunk
– Run a Splunk search.

This is what it looks like on the command line.

merza-mbp15:Downloads mmerza$ # add the index using the splunk password
/opt/splunk/bin/splunk add index pcaphead -auth admin:supersecret
# add the listener specifying a new sourcetype and the index
/opt/splunk/bin/splunk add udp 5000 -sourcetype pcapheader -index pcaphead -auth admin:supersecret
# run tcpdump and pipe output to netcat
tcpdump -tttt -nn -r 0C921935F0880B5C2161B3905F8A3069.pcap
| nc -u 192.168.4.200 5000
^C

The output from the above commands is:

Index "pcaphead" added.
Listening for UDP input on port 5000.
reading from file 0C921935F0880B5C2161B3905F8A3069.pcap, link-type EN10MB
(Ethernet)
^C

We run a splunk search, extract the destination IP and port and count the destination IP’s and destination ports

merza-mbp15:Downloads mmerza$ /opt/splunk/bin/splunk search
'index="pcaphead" 
| rex field=_raw "> (?<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(?<dst_port>\d+)"
| stats count by dst_ip dst_port'

The output of above:

Preview of: index="pcaphead" 
| rex field=_raw "> (?<dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(?<dst_port>\d+)"
| stats count by dst_ip dst_port
dst_ip dst_port count
-------------- -------- -----
1.172.19.122 80 122
1.173.161.207 80 74
1.175.227.137 80 7
1.177.15.190 80 10
2.133.108.18 80 15
2.134.220.217 80 15
2.134.23.57 80 60
...snip...

The pcap is for Trojan ‘Nap’, aka Kelihos/Hlux. Props to the Contagio blog for posting the pcap and other intel:
http://contagiodump.blogspot.com/2013/02/trojan-nap-aka-kelihoshlux-status.html

Some things I ignored:
I put the password on the command shell. Not a best practice. But it makes explaining things easier.
I didn’t write a proper props.conf file to parse the fields in the tcpdump text output.
Running a search like, index=pcaphead, without some other strings is a bad idea but this is an illustration.

If you find this sort of post useful, or related to something, please leave a comment. If you don’t find it useful, leave a comment any way 😉

Monzy Merza
Posted by

Monzy Merza

Monzy Merza serves as the head of security research at Splunk. With over 15 years of cybersecurity leadership in government and commercial organizations, Monzy is responsible for helping advise and implement strategic security programs for Splunk’s cybersecurity customers, working hand-in-hand with executives across the Fortune 500 to develop modern security architectures. Monzy is also responsible for leading the Splunk Cyber Research team, which arms Splunk customers with actionable threat intelligence to combat advanced threats. A noted international speaker, Monzy frequently presents at government and industry events on topics such as nation state threat defense and machine learning. His current security research is focused on integrated approaches to human-driven and automated responses to targeted cyberattacks

Join the Discussion