Passive DNS analysis is all the rage right now, the detection opportunities presented have been well discussed for some time. If your organization is like most now is the time you are being asked how you can implement these detection strategies. Leveraging your existing Splunk investment you can get started very quickly with less change to your organization than one might think. Here is what we will use older versions will work fine however the screen shots will be a bit off:
- Splunk Enterprise 6.3.1
- Splunk App for Stream 6.4
We will assume Splunk Enterprise 6.3.1has already been installed.
Decide where to install your Stream App. Typically this will be the Enterprise Security search head.
However if your ES search head is also a search head cluster you will need to use an AD-HOC search head, dedicated search head or a deployment server. Current versions of Stream fully support installation on a Search Head Cluster.
Note: If using the deployment server (DS) you must configure the server to search the indexer or index cluster containing your stream data.
- Install Splunk App for Stream using the standard procedures located here.
- Copy the deployment TA to your deployment server if you installed on a search head. /opt/splunk/etc/deployment-apps/Splunk_TA_stream
- On your deployment server create a new folder to contain configuration for your stream dns server group.
- mkdir -p Splunk_TA_stream_infra_dns/local
- Copy the inputs.conf from the default TA to the new TA for group management
- cp Splunk_TA_stream/local/inputs.conf Splunk_TA_stream_infra_dns/local/
- Update the inputs.conf to include your forwarder group id
- vi Splunk_TA_stream_infra_dns/local/inputs.conf
- Alter “stream_forwarder_id =” to “stream_forwarder_id =infra_dns”
- Create a new server class “infra_stream_dns” include both the following apps and deploy to all DNS servers (Windows DNS or BIND)
- Reload your deployment server
Excellent at this point the Splunk Stream app will be deployed to all of your DNS servers and sit idle. The next few steps will prepare the environment to start collections
- Create a new index I typically will create stream_dns and setup retention for 30 days.
Configure your deployment group
- Login to the search head with the Splunk App for Stream
- Navigate to Splunk App for Stream
- If this is your first time you may find you need to complete the welcome wizard .
- Click on Configure the “Distributed Forwarder Management”
- Click Create New Group as follows then click Next
- Name Infra_DNS
- Description Applied to All DNS servers
- Include Ephemeral Streams? No
- Enter “infra_dns” as this will ensure all clients deployed above will pickup this configuration from the Stream App
- Search for “Splunk_DNS” and select each match then Click Finish
- Click on Configuration then “Configure Streams”
- Click on New Stream
- Setup basic info as follows then click Next
- We will no use Aggregation so leave this as “No” and click Next
- The default fields will meet our needs so go ahead and click Next
- Optional Step: Create filters in most cases requests from the DNS server to the outside are not interesting as they are generated based on client requests that cannot be answer from the cache. Creating filters will reduce the total volume of data by approximately 50%
At this point stream will deploy and begin collection however index selection is not permitted in this workflow so we need to go back and set it up now.
- Find Infra_DNS and click edit
- Select the index appropriate for your environment
- Click save
Ready to check your work? Run this search replace index=* with your index
index=* sourcetype=stream:dns | stats count by query | sort – count