The (Python) Splunk application behind Project Bitfl1p
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin
default
lookups
scripts
.gitignore
LICENSE
README.md

README.md

Project Bitfl1p: bf-splunk

The Splunk application behind Project Bitfl1p

Installation

  • Define the SPLUNK_HOME directory
export SPLUNK_HOME=/opt/splunk
  • Clone the bf-splunk application
git clone git@github.com:innoying/bf-splunk.git $SPLUNK_HOME/etc/apps/bf-splunk
  • (Re)start Splunk so that the app is recognized.
$SPLUNK_HOME/bin/splunk restart
  • Optionally install the Splunk_TA_Bro application for bro logs, you may have to patch the BroAutoType in transforms.conf to:
REGEX = ([a-zA-Z0-9]+)\.[0-9:]+-.[0-9:]+\.log
  • In the Splunk web interface, from the App menu, select the "Project Bitfl1p" application.

Queries

Determine type of flip resulting in a connection most commonly

index = "bro" AND sourcetype="bro_http" AND extracted_host != "*.bitfl1p.com" | top dest_ip
index = "bro" AND sourcetype="bro_ssl" AND server_name != "*.bitfl1p.com" AND dest_port != 25 | top dest_ip

server-bag requests

index = "bf_www" AND (httpHost = "*applg.com" OR httpHost = "*apple.com") AND userAgent = "server-bag *" | top src

Transaction localIP

(index="bf_www" httpHost="www.bitfl1p.com" url="POST /localIP.api *") OR (index = "bf_api" AND sourcetype = "bf_api_localip") | transaction maxspan=1m _time | search ASName != "NONE" | top limit=100 ASName, localIP