Rogue System Detection with Splunk

November 7, 2014

This Splunk search allows you to be alerted when a new IP is seen by Bro. The requirements for this alert to work are the bro_known_hosts log and a CSV with all allowed IP addresses. Setup the CSV as an automatic lookup table. The automatic lookup table is setup based on the host (securityonion) and contains this mapping (assuming your lookup table is named lan_lookup), lan_lookup ip AS id_orig_h OUTPUTNEW name AS hostname. The below image shows the setup of the CSV file. A Splunk app called Lookup Editor is very helpful in adding new hostnames.






With the automatic lookup setup, a new field called hostname will appear in search results for data coming from the host securityonion. The hostname field will be populated with whatever is put in the name column of the CSV. Once this is setup, use the following search to find new IPs that are not in the CSV.

sourcetype=bro_known_hosts src_ip=”192.168.*” |fillnull value=0| search hostname=0| stats count by src_ip

This search will only have results when an IP shows up in the bro_known_hosts log that starts with 192.168. and does not have a name in the CSV file you created. This methodology works fine for very small LANs, but will not easily scale up. For larger environments, a DNS query could be used to ensure the IP is a known host.


Leave a Reply