CSUG September 2015splunk> + SNMP

About Me

Ashley Hartge (https://au.linkedin.com/in/ashleyhartge)

Not a professional speaker / presenter

19+ years full-time in the IT Industry7+ years in Managed Network

Security spaceSenior Network Security EngineerVerizon – Global Commercial MSS

Providersplunk> user since 2009 (personal &

prof.)Active Verizon splunk> evangelist

(APAC & US)

The Journey … Verizon - Global Commercial MSS Provider In-House SIEM product for many years Legacy selection of pre-canned reports Increasing need for dynamic ad/hoc reports

Internal & Customer driven Difficult & rigid ETL process (release cycles) Any changes need development / release work Manually craft DB Query -> CSV -> Pivot

table…… Needed reporting at the speed of thought

The Journey …

Using splunk for home / lab networks … why not see what can be done for our reports …

Old SOC workstationDownload & install splunk eval Ingest a day’s incidentsBuild reportsBlow management’s mind with

visibilitySplunk grabs a foothold …. The rest

is history

Agenda

Secondary use-case after deploying splunk

IT Ops | CMDB | Process Auditing | Tracking

Basic SNMP polling using splunk>Distributed deployment with remote

collectionLarge scale scripted collection

Basic SNMP Polling with splunk>

Simplest deployment of single instance directly polling end device

Install SNMP Modular Input

https://splunkbase.splunk.com/app/1537/

Configure Input

Distributed Deployment

Expand our single instance, with forwarders remotely collecting SNMP data

Install Forwarders

Setup Receiving port on Indexer

Install Forwarder

Install Forwarders

Configure Forwarding to your indexer

Unzip & Install SNMP Modular input on Universal Forwarder

Configure snmp_ta/local/inputs.confConfigure /local/inputs.conf on

Forwarder with community string & OIDs for polling.

Displaying Results

Restart forwarder & verify events being received

Create tags to give recognisable names to the hosts (this could also be done within the input or a lookup)

Displaying Results

Run a simple search on the sourcetype to see if we are getting data (SNMP was configured to poll the device every minute).

Notice our host tags we configured

Displaying Results

Quick & Dirty regex to show TEMP & HUMIDITY from our sensors

But I don’t like/know regexUse splunk field extractor

Extracting values

Extracting values

The values are provided by the sensors but need to be divided by 10 & rounded

Solution = calculated field

Extracting “value”

Extracting “value”

Large scale scripted collection

Python script to poll 1000’s of devices, output to CSV, scp to splunk server, index CSV into splunk

SNMP with Python fabricCompile a list of SNMP OIDs that provide the values we want from each platform, then use python script to connect to management stations, snmp poll the devices & return the result into CSV file – which is scp to the Indexer

'fortigate': {'hostname': '1.3.6.1.2.1.1.5.0', 'uptime': '1.3.6.1.2.1.1.3.0', 'model': 'SNMPv2-SMI::mib-2.47.1.1.1.1.10.1', 'version': 'SNMPv2-SMI::enterprises.12356.101.4.1.1.0', 'serial': '1.3.6.1.4.1.12356.100.1.1.1.0', 'avsig': '1.3.6.1.4.1.12356.101.4.2.1.0', 'idssig': '1.3.6.1.4.1.12356.101.4.2.2.0', 'go': True}

'paloalto': {'model': '1.3.6.1.4.1.25461.2.1.2.2.1.0', 'version': '1.3.6.1.4.1.25461.2.1.2.1.1.0', 'uptime': '1.3.6.1.2.1.1.3.0', 'serial': '.1.3.6.1.4.1.25461.2.1.2.1.3.0', 'avsig': '1.3.6.1.4.1.25461.2.1.2.1.8.0', 'idssig': '1.3.6.1.4.1.25461.2.1.2.1.9.0', 'go': True}

'cisco-asa-ssm': {'hostname': 'SNMPv2-MIB::sysName.0', 'uptime': 'HOST-RESOURCES-MIB::hrSystemUptime.0', 'model': 'SNMPv2-SMI::mib-2.47.1.1.1.1.13.1', 'version': 'SNMPv2-SMI::enterprises.9.9.383.1.4.20.0', 'serial': 'SNMPv2-SMI::mib-2.47.1.1.1.1.11.1', 'license': 'SNMPv2-SMI::enterprises.9.9.383.1.4.22.00', 'idssig': 'SNMPv2-SMI::enterprises.9.9.383.1.4.21.0', 'go': True}

SNMP with Python fabric

Splunk easily ingests CSV data Because our output file does NOT

contain CSV header names on the first row – we pre-create a sourcetype, naming our columns

props.conf

transforms.conf

SNMP with Python fabric

Create an input to monitor the csv

Enrichment / Lookups

Vendor signature release details (scrape)

Cisco IPS Signature & Versions

Fortigate IPS & Versions

Palo Alto IPS & Versions

Next Steps

Dynamic Python Input Files | inputlookup asset | table ip, snmp_community, platform

| outputlookup fabricsource.csv

Dynamically deploy to forwarders Deployment server to push input file to

forwarder Scripted inputs on forwarders to replace

cron job(s) & csv-fu

Single Pane of Glass