Analyzing & Visualizing Brute force attacks using Splunk Enterprise
In this article we deploy Splunk Enterprise 6.5.2 on Ubuntu 16.04 LTS and see how Splunk can be used to analyze logs to detect hacking attempts.
- Download latest Splunk Enterprise release from Splunk portal. untar and change to Splunk directory
$tar xvzf splunk-6.5.2-67571ef4b87d-Linux-x86_64.tgz
$cd splunk
2. Set the environment variable 'SPLUNK_HOME'
3. Start the Splunk server
4. Accept the license agreement
5. Splunk server started successfully
6. Splunk web console is accessible (127.0.0.1:8000)
7. Use the default user and password details to login(admin:changeme). while login you will be prompted to change the the default password
8. Enable https with Splunk web console(console -> Settings-> General->Enable SSL -> Yes) and restart the server
9. After restarting the server 'https://' is enabled
10. Upload log files of the sample application to study the hacking attempts.
11. Log files are uploaded successfully.
12. Indexed sample data can be now searched in 'Search & Reporting' app in web console.
13. Patterns tab show a 5.41% abnormal login events 'failed' category which represents hacking activity
14. Click 'View Events' link to select only the login failed events
15. Lets extract two custom fields('username' and 'clientip') from the events. Select the 'All Fields' link to view all the available fields.
16. Select the 'Extract New Fields' link and follow as below to create custom fields 'username' and 'clientip'
17. For visualization lets search to aggregate the login failure events and generate a Login Failure count
18. Select the 'Single Value Visualization' format from the Visualization tab
19. Save it as Report
20. Add to Dashboard
21. Save as Dashboard Panel
22. Dashboard created
23. Repeat the steps 17 to 22 for the search string 'sourcetype=secure failed "invalid user" | stats count'. It will provide login attempt failures using invalid accounts
24. Repeat the steps 17 to 22 for the search string 'sourcetype=secure failed NOT "invalid user" | stats count'. It will provide login attempt failures using valid accounts
25. Now the Dashboard is available with the details of total login failed attempts, login attempts with invalid accounts and valid accounts.
So far, we have seen setting up Splunk Enterprise and methods to analyze application logs to interpret and visualize brute force attempts.
Thank you.