Splunk Stream - Einblicke in Netzwerk Traffic
4 likes2,160 views
The document discusses the challenges in obtaining accurate data for mission-critical applications, particularly in security analysis where traditional logging may fail. It introduces Splunk Stream, a tool designed to capture 'wire data' for monitoring application conversations and network performance, promoting real-time and forensic analysis. Key features of the Splunk Stream 7.0 include enhanced metadata processing, application detection capabilities, and new deployment options to improve data collection and management efficiency.
Splunk Stream - Einblicke in Netzwerk Traffic
- 1. Copyright © 2017 Splunk Inc. Splunk Stream Tomas Baublys Sr. Sales Engineer
- 2. 2 Agenda • Market Challenges • Product Overview • Architecture and Deployment • Stream 7.0 Features • Demo • FAQ and Summary
- 3. Introduction: Market Challenges and Splunk Solution
- 4. 5 Problem Statement ITOA / APM / NPM: • How do we get accurate data for my mission? Security Analysis: • Details of conversations may not be contained in logs • Security data may be hard to acquire • If an entity is compromised, it may not log at all! • Applications may not accurately report their own performance • Better to rely on an external agent to report the health of an entity than the entity itself (especially if it’s underperforming!)
- 5. 6 Solution: Wire Data with Splunk Stream! monitor application conversations and network performance Direct ingest into Splunk (no props/transforms) Stream is not a dedicated – APM / NPM tool, but has aspects of both – Security Analytics tool, but data is useful for both real-time and forensic security analysis It’s Free! https://splunkbase.splunk.com/app/1809/
- 6. 7 What’s Wire Data? Network Conversations Machine data Poly-structured data Authoritative record of real-time and historical communication between machines and applications tcpdump -qns 0 -A -r blah.pcap 20:57:47.368107 IP 205.188.159.57.25 > 67.23.28.65.42385: tcp 480 0x0000: 4500 0214 834c 4000 3306 f649 cdbc 9f39 E....L@.3..I...9 0x0010: 4317 1c41 0019 a591 50fe 18ca 9da0 4681 C..A....P.....F. 0x0020: 8018 05a8 848f 0000 0101 080a ffd4 9bb0 ................ 0x0030: 2e43 6bb9 3232 302d 726c 792d 6461 3033 .Ck.220-rly-da03 0x0040: 2e6d 782e 616f 6c2e 636f 6d20 4553 4d54 .mx.aol.com.ESMT 0x0050: 5020 6d61 696c 5f72 656c 6179 5f69 6e2d P.mail_relay_in- 0x0060: 6461 3033 2e34 3b20 5468 752c 2030 3920 da03.4;.Thu,.09. 0x0070: 4a75 6c20 3230 3039 2031 363a 3537 3a34 Jul.2009.16:57:4 0x0080: 3720 2d30 3430 300d 0a32 3230 2d41 6d65 7.-0400..220-Ame 0x0090: 7269 6361 204f 6e6c 696e 6520 2841 4f4c rica.Online.(AOL 0x00a0: 2920 616e 6420 6974 7320 6166 6669 6c69 ).and.its.affili 0x00b0: 6174 6564 2063 6f6d 7061 6e69 6573 2064 ated.companies.d End Users Typical Collection Point Servers Network
- 7. 9 How Will Wire Data Help Solve the Problem? Wire data represents capture of true conversations between endpoints It has the “omniscient view” of what actually transpired The conversations contain the details about each transaction, including the time of occurrence Less chance of interference – Intentional / Malicious – Load or resource based
- 8. 10 Stream Metadata vs. Flow Records Splunk Stream 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical • Traditional Wire Data flow-type records (such as NetFlow) generally contains only IP addresses and TCP or UDP ports. • While this can show host-host connections, it doesn’t give any insight about the content of those conversations (like telephone call records) • Splunk Stream parses wire data all the way up the stack and generates Events with information at every level (more akin to a written transcript of a phone call) Flow-type Data 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 1. Physical
- 9. 11 Stream Metadata vs Full Packet Capture Stream Metadata contains essential content information: – L3/L4 and L7 headers and payload Eliminates the redundancy of thousands of identical headers – Significantly smaller data storage
- 10. 12 Stream events in Splunk 1. L2/L3/L4 Flow info (IP, Port, Proto,App name) 2. L7 Protocol Info (HTTP headers, SMTP adresses, DNS query/resp) 3. L7 Full bidirectional payload (possibly hashed or hex encoded) 4. Directly measured metrics (byte count, resp. time) 5. Empirically derived heuristics (round- trip, server dealy) 6. Any specific fields, configurable
- 11. Product Overview
- 12. 14 Wire Data Collection / Metadata Generation End Users Host + (UF/HEC) + STM Protocol Decoder (Deep Packet Inspection) EventsDecryption (If Necessary) Request/ Response Packets
- 13. 15 Wire Data Collection / Metadata Generation End Users TAP or SPAN Servers Protocol Decoder (Deep Packet Inspection) EventsDecryption (If Necessary) Request/ Response Packets
- 14. 16 What’s Available In Splunk Stream Data? Performance Metrics Round Trip Time Client Request Time Server Reply Time Server Send Time Total Time Taken Base HTML Load Time Page Content Load Time Total Page Load Time Application Data POST Content AJAX Data Section Sub-Section Page Title Session Cookie Proxied IP Address Error Message Business Data Product ID Customer ID Shopping Cart ID Cart Items Cart Values Discounts Order ID Abandoned?
- 15. 17 Splunk Stream (7.0) Metadata Collection – Collects essential elements of the application conversation – Eliminates redundancy of duplicate packet headers Live Interface Collection Option – Collect directly on hosts – Also from a tap or SPAN port Estimate Mode – Deploy Stream without collecting data (or affecting license) Commercial App Detection (300+) – Works even if the app is encrypted Aggregation Mode – Statistics generated at endpoint – Similar to “stats sum(x)” in SPL Filtering at Endpoint Out-of-Box Content – Dashboards for common protocols Distributed Forwarder Mgt – Similar to Splunk UF mgt – All config centrally managed – Forwarder Groups 1GbE and 10GbE link options – 10 GbE uses DPDK SDK (dpdk.org)
- 16. 18 Protocols Parsed with Stream 7.0 Simple Transport TCP UDP IP Infrastructure ARP DHCP SNMP DNS ICMP File Transfer FTP HTTP File Service NFS SMB Email IMAP MAPI POP3 SMTP Messaging AMQP IRC SMPP XMPP Authentication Diameter LDAP RADIUS Database MYSQL Postgres TDS (Sybase / MS-SQL) TNS (Oracle SQL*Net) VoIP SIP RTP
- 17. 19 Commercial Application Detection Add the many hundreds of applications to be detected to the TCP stream type existing “app” field Help diagnose the problem of: – “what is going over port 80”? – “what’s taking all of my bandwidth?” DOES NOT PARSE applications, simply detects them – Will detect encrypted protocols! – Will detect vendor-proprietary protocols! – Uses empirical patterns, DNS, Cert CNs and other methods Current feature supports 300+ applications, many more to be added
- 18. 20 300+ Commercial Applications Detected Adobe Flash Plugin Update Adobe Update Manager AIM express AIM Transfer AllMusic.com Altiris Amazon Ad System Amazon Cloud Drive Amazon Generic Services Amazon MP3 Amazon Video Amazon Web Services/Cloudfront CDN Android connectivity Manager Aol AOL Instant Messenger (formerly OSCAR) Apple AirPlay Apple Airport Apple AirPrint Apple App Store Apple FaceTime Apple Generic Services Apple HTTP Live Streaming Apple Location Apple Maps Apple Music Apple Push Notification Service Apple SIRI Apple Update ASProxy Atlassian Background Intelligent Transfer Service Baidu Player Baidu_wallet Baidu.com Bet365.com Bitcoin client BitTorrent Bittorrent Apps BitTorrent Bleep (aka BitTorrent Chat) BlackBerry Locate BlackBerry Messenger BlackBerry Messenger Audio BlackBerry Messenger Video BlackBerry.com Border Gateway Protocol CARBONITE CCProxy ChatON Chatroulette.com Chrome Update Cisco Discovery Protocol Cisco MeetingPlace Cisco Netflow Common Unix Printer System Crackle craigslist Data Stream Interface DB2 Debian/Ubuntu Update Dropbox Download Dropbox Upload Dropbox.com eBay.com Edonkey Evernote.com EverQuest - EverQuest II Facebook Facebook Messenger FarmVille Find My iPhone Firefox Update Flickr Generic Routing Encapsulation GitHub Gmail Basic Gmail drive Gmail Mobile GNUnet Gnutella Google Accounts Google Analytics Google App Engine Google Cache Google Calendar Google Chat Google Cloud Messaging Google Cloud Storage Google Documents (aka Google Drive) Google Earth Google Generic Google groups Google GStatic Google Hangouts (formerly Google Talk) Google Mail Google Maps Google Picasa Google Play Music,Google Play Musique Google Play Store Google Plus Google Safe Browsing Google Tag Manager Google Toolbar Google Translate Google.com GoToDevice Remote Administration GoToMeeting Online Meeting GoToMyPC Remote Access GPRS Tunneling Protocol GPRS Tunneling Protocol version 2 Half-Life Hi5.com High Entropy Hot Standby Router Protocol HP Printer Job Language Hulu HyperText Transfer Protocol version 2,HTTP/2 I2P Invisible Internet Project IBM Informix IBM Lotus Sametime IBM SmartCloud IBM Websphere MQ iCloud (Apple) iHeartRADIO iMessage File Download Imgur.com Independant Computing Architecture (Citrix) Instagram Internet Group Management Protocol Internet Printing Protocol Internet Security Association and Key Management Protocol Internet Small Computer Systems Interface iOS over-the-air (OTA) update IP Payload Compression Protocol IP-in-IP tunneling IPsec Encapsulating Security Payload IRC File Transfer Data iTunes Jabber File Transfer Java Update JEDI (Citrix) Kazaa (FastTrack protocol) KIK Messenger King Digital Entertainment LinkedIn.com Live hotmail for mobile Livestream.com LogMeIn Rescue magicJack Mail.ru Agent Maktoob mail Media Gateway Control Protocol Message Session Relay Protocol Microsoft ActiveSync Microsoft Lync Microsoft Lync Online Microsoft Office 365 Microsoft Remote Procedure Call Microsoft Service Control Microsoft SharePoint Microsoft SharePoint Administration Application Microsoft SharePoint Blog Management Application Microsoft SharePoint Calendar Management Application Microsoft SharePoint Document Management Application Multi Protocol Label Switching data-carrying mechanism Nagios Remote Data Processor Nagios Remote Plugin Executor Name Service Provider Interface Netflix.com NetMeeting ILS Network Time Protocol Nintendo Wi-Fi Connection Nortel/SynOptics Netwok Management Protocol OkCupid Online Certificate Status Protocol Oovoo Open Shortest Path First Opera Update Orkut.com Outlook Web Access (Office 365) Outlook Web App PalTalk Paltalk audio chat PalTalk Transfer Protocol Paltalk video Pandora Radio Pastebin Pastebin_posting PCAnywhere Photobucket.com Pinterest.com Playstation Network Plenty Of Fish QIK Video QQ QQ File Transfer QQ Games QQ Mail QQ WeiBo QQ.com QQDownload QQLive Network Player QQMusic QQStream Quake quic QVOD Player RapidShare.com Real Time Streaming Protocol Remote Desktop Protocol (Windows Terminal Server) Remote Procedure Call RetroShare Routing Information Protocol V1 Routing Information Protocol V2 Routing Internet Protocol ng1 Rovio Entertainment RSS Salesforce.com SAP SecondLife.com Secure Shell Session Traversal Utilities for NAT SharePoint Online Silverlight (Microsoft Smooth Streaming) Simple Object Access Protocol Skinny Client Control Protocol Slacker Radio Slingbox Snapchat SOCKet Secure v5 SoMud Bittorrent tracker SoundCloud SourceForge SPDY Spotify SquirrelMail Steampowered.com Symantec Norton AntiVirus Updates Syslog Systems Network Architecture Teamspeak v2 TeamSpeak v3 TeamViewer Telnet Teredo protocol Terminal Access Controller Access-Control System Plus TIBCO RendezVous Protocol Tor2web Tumblr Twitch Twitpic Twitter UStream uTorrent uTP (Micro Transport Protocol) UUSee Protocol VEVO Viber Vimeo.com Vine Virtual Router Redundancy Protocol VMWare vmware_horizon_view Waze Social GPS Maps & Traffic WebEx WhatsApp Messenger WHOIS WiiConnect24 Wikipedia.com Windows Azure CDN Windows Internet Naming Service Windows Live File Storage Windows Live Groups Windows Live Hotmail Windows Live Hotmail Attachements Windows Live SkyDrive Windows Live SkyDrive Login Windows Marketplace Windows Update WordPress.com World of Warcraft Xbox Live Xbox Live Marketplace Xbox Music Xbox Video (Microsoft Movies and Tv) xHamster.com Yahoo groups Yahoo Mail classic Yahoo Mail v.2.0 Yahoo Messenger Yahoo Messenger conference service Yahoo Messenger Transfer Protocol Yahoo Messenger Video Yahoo Search Yahoo webmail for mobile Yahoo Webmessenger Yahoo.com Yellow Page Bind Yellow Page Passwd Yellow Pages Server Youtube.com
- 19. 21 Example of Applications in Search amazon_aws 31 krb5 30 apple 5 live_hotmail 6 apple_location 2 norton_update 5 dhcp 6 ntp 2 facebook 6 ocsp 81 flickr 1 pinterest 1 google 58 skype 1411 google_analytics 4 smb 12 google_gen 29 spdy 4 google_safebrowsing 8 spotify 3 google_tags 3 teredo 15 gstatic 11 tumblr 28 http 7945 twitter 11 http2 11 yahoo 129 https 214 yahoo_search 1 icloud 8 ymsg_webmessenger 3 imgur 9 youtube 1 sourcetype=stream:* | stats count by app
- 20. 22 Data Estimate Mode (per-Stream) Stream Estimate Estimate Data Volume Mode Selection
- 21. 23 Prebuilt Reporting Get visibility into applications performance and user experience Understand database activity and performance without impacting database operation Improve security and application intelligence with DNS analytics
- 22. Live Demo
- 24. 26 Collect and Monitor Data with Stream Stream has two deployment architectures and two collection methodologies Deployment: – In-line directly on monitored host – Out-of-band (stub) with TAP or SPAN port Collection: – Technical Add-On (TA) with Splunk Universal Forwarder (UF) – Independent Stream Forwarder using HTTP Event Collector (HEC)
- 25. 27 Deployment: Dedicated Collector End Users TAP or SPAN Firewall Search Head Linux Forwarder Splunk_TA_Stream Servers Internet Splunk Indexers
- 26. 28 Deployment: Run on Servers Splunk Indexers Search Head Physical or Virtual Servers Universal Forwarder Splunk_TA_stream Physical Datacenter, Public or Private Cloud End Users FirewallInternet
- 27. 29 Stream Forwarder Options 2. Independent Stream Forwarder • Makes it easy to add Stream anywhere in your environment • 1. Stream TA • Stream deploys as a modular input on top of your Splunk Forwarders. • Stream deploys as a stand-alone binary and communicates via HEC. • Requires >= Splunk 6.3.1 Splunk Fwd Splunk Indexers Splunk Indexers Any Linux Host Splunk Forwarder HTTP/S
- 28. 31 Distributed Forwarder Management Gain more deployment flexibility Increase management efficiency with per-forwarder protocol control Tailor data collection by assigning different sets of protocols to groups of forwarders TNS MySQL HTTP DNS TCP SIP Diameter UDP Protocol Selection, Configuration & Distribution
- 29. New Features in Stream 7
- 30. 33 Major New Features in Stream 7.0 Splunk Stream 7.0 was released GA in November 2016 NetFlow Collector – NetFlow v5, v9 (with template support), IPFIX (with vendor extensions) MD5 Hashing – Any parsed Stream field, including SMTP attachments and HTTP files – Integrates with Enterprise Security – Threat Intelligence Framework Flow Visualization for all IPv4 space PCAP Upload via SH and Continuous Directory Monitoring via Forwarder Enhanced Metadata Fields (e.g., FlowID, Protocol Stack, Event Name) Configuration Templates – Easier integration with other Splunk products
- 31. 34 Flow Collection Active Flow listening socket on Stream Forwarder Flexible Configuration Options – Selectable fields and filtering – Can configure multiple, distinct listening ports on each Stream Forwarder Supports most common versions of Flow protocols – Cisco NetFlow, Juniper jFlow, HP sFlow, cFlowd – NetFlow v5, v9, IPFIX – V9 with templates (standard and custom) – IPFIX with vendor extensions Aggregation of Flow records (pre-indexing) can dramatically reduce the number of Splunk Events created Performance > 465,000 flows/second (on a single Independent Stream Forwarder)
- 32. 35 Flow Collector Data Flow 35 NetFlow Collector • NetFlow listening sockets (UDP ports) • Actively capture Flows from NetFlow v5, v9, IPFIX • Creates Splunk- compatible Flow Records • Management from Stream Centralized UI NetFlow enabled devices 1 Export NetFlow (over UDP) 2 NetFlow Metadata captured by Stream 3 Events in Splunk Indexer / Search Head 4 1 2 4 Router Network Switch 3
- 33. 36 NetFlow and sFlow Streams UX
- 34. 37 MD5 Hashing of Files File Hashing provides integrity verification of files, can be used for a number of security use cases – inbound malware detection – outbound data loss prevention Stream generates MD5 hashes equivalent to “md5sum” unix command after decoding content back to binary Specifically for SMTP file attachments and HTTP MD5 hashes generated with Stream integrate directly into the Threat Intelligence framework of Enterprise Security, and has been tested with ES As a bonus, *any* non-numeric field can be MD5 hashed using the “Extract New Field” option. Field can be length-truncated if desired.
- 35. 38 MD5 Hashing Data Flow 38 MD5 hashing • Used to enable DLP and Security use cases • Examines both inbound and outbound data transfer • Can be used to find IOCs as well as data exfiltration • Better metric than file names or file types File Transfer Traffic between Client and Server directed towards Stream 1 3 Network Switch Client Server (Malware)FileTransfer Tap or SPAN E S TA- Splice Threat Intelligence 1 2 Stream generates MD5 hashes of files, sends to Splunk Indexers 2 MD5 hashes compared against Threat Intel from public databases 3 Internet
- 36. 39 Flow Visualization Designed to show limited Client->Server interaction for IPv4 address space. Overview and Detail views Can be used in real-time, interactive, and forensic modes Bubble chart that animates as flows appear (Detail view only) 3
- 37. 40 Flow Visualization Detail View 4 Horizontal Trends show your externally-accessible hosts The Bubbles animate in real-time or in play- back mode Vertical Trends illustrate your internal host address space
- 38. Live Demo
- 39. FAQ and Summary
- 40. 43 FAQ • Yes. The app enables capture of only the relevant network/wire data for analytics, through filters and aggregation rules • Select or deselect protocols and associated attributes with fine-grained precision within the app interface Can I limit the amount of data collected with Stream? • Data volume can vary based upon the number of selected protocols, attributes and the amount of network traffic • Use Stream Estimate to understand the indexing impact How can I estimate my indexing volume? • Stream can be installed on any physical or virtual host running supported OS, on premises or in the cloud • It can be installed off of TAP and SPAN ports • It can be deployed in combination with TAP aggregation or visibility switches Where is Stream typically installed?
- 41. Thank You
Editor's Notes
- #2: Customer facing deck
- #5: With this app, Splunk customers deep insights about can capture application transaction times, transaction paths, network performance, and even database queries. Correlating wire data with other application and infrastructure data in Splunk software such as logs, metrics and events, As a result users are getting insights about app, service or network availability, performance and usage of their servicesVisualize application and database insights including applications transactions, HTTP error codes, response times, top URIs database queries needing deep instrumentation or impact on monitoring system As a software solution, the Splunk App for Stream can be deployed on any type of cloud (in a VM). Our customers start gaining immediate insights into apps and cloud dinfrastrctucture without the deep instrumentation . This provides real-time visibility into any public, private or hybrid cloud infrastructure through insights from wire data. Additionally, customers can now securely decrypt SSL encrypted data for data completeness. As the nature of the apps runjning in the cloud is ephemeral, you can tailor your data collection easily. This can be achieved through temporary streams or fine grain monitoring. Lastly, can be rapidly deployed to collect streaming network data to everyone,
- #25: We will cover just three examples in this section. There are many more – please refer to presentation titles Stream Customer Success Examples.
- #33: This section covers the important features from the older releases. Skip, if the customer is familiar with the older releases.
- #42: We will cover just three examples in this section. There are many more – please refer to presentation titles Stream Customer Success Examples.
- #43: Thank you. Open up for Questions
- #45: Thank you. Open up for Questions