Sunday, May 3, 2015

PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs


Continuing with the Splunk dashboards, let's add a panel for parsed ARPWatch logs

Sample ARPWatch Log Message
Apr 14 16:05:49 192.168.0.1 Apr 14 20:05:08 kernel: arp: 192.X.X.11 moved from 24:77:03:32:55:30 to 88:53:2e:50:9d:3f on dc0

This message shows that the MAC Address for IP 192.X.X.11 has changed. This is significant as it can help to detect ARP Spoofing


Our Search Filter:
host="pfsense_firewall" arp: | rex field=_raw "arp:\s(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\smoved\sfrom\s(?<before_mac>[A-Fa-f0-9]{2}:[
A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\sto\s(?<after_mac>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\son\s(?<interface>.*)" | stats count by ip_address, before_mac, after_mac, interface

Our Results


Being able to track changing MAC Addresses may help you identify misconfigured and or malicious hosts in your network.


See you in the next post where we parse DHCP Logs

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

5 comments:

  1. Very good idea you've shared here, from here I can be a very valuable new experience. all things that are here will I make the source of reference, ,servicenow training in hyderabad ,splunk training in hyderabad ,
    , liferay training in hyderabad

    ReplyDelete
  2. Thanks for sharing the good explanation about Splunk. Through my friend I got to know one more good resource related to Splunk. which I am sharing with you just go through this link -: https://intellipaat.com/splunk-training/

    ReplyDelete
  3. we are offering best splunk online training with job support and high quality training facilities and well expert faculty . to Register you free demo please visit ,splunk training in hyderabad

    ReplyDelete