Splunk plus TOR = Splunkion: forwarding logs over TOR

A fun crazy experiment:

Some weekends I just pick a couple of lego blocks of technology and click them together to see what happens. I was thinking over the concept of TOR hidden services. It turns out you can run a Splunk Universal Forwarder (UF) with an outputs.conf pointing to your indexer while it listens for inputs from other UFs as a TOR hidden service. You can then make a UF running on something like a raspberrypi send it’s logs back over TOR like a dynamic vpn.

Why would you want to? Because it was neat to do. Here is how to repeat the proof of concept.

Splunk forwarding over TOR
Splunk forwarding over TOR


How do we make it work?

The Universal Forwarder TOR to Indexer Relay:

  1. Install the Splunk Universal Forwarder
  2. Install TOR:  sudo apt-get install tor
  3. Setup TOR to listen on 9997 as a hidden service by editing the /var/tor/torrc file
  4. Restart TOR:  sudo service tor restart
  5. Get the server’s .onion address: sudo vi /var/lib/tor/other_hidden_service/hostname
  6. Setup $SPLUNK_HOME/etc/system/local/inputs.conf to listen on 9997
  7. Setup $SPLUNK_HOME/etc/system/local/outputs.conf to send data to your existing Splunk Indexer. The below example is setup for SSL so replace with what yours uses.

The Remote Forwarding Log Source:

  1. Install the Splunk Universal Forwarder
  2. Install TOR:  sudo apt-get install tor
  3. Install socat:  sudo apt-get install socat
  4. Setup $SPLUNK_HOME/etc/system/local/outputs.conf to send logs to localhost:9998
  5. Ensure socat is running to bounce 9998 to 9997. This is how we torrify the Splunk forwarder to Indexer traffic. We need to use it to tunnel the Splunk TCP traffic through TOR. You will want to work up how to make that auto start on reboot and run in background. But here is the command you can run manually to test it. Note in this command you have to know the .onion address of the UF we will use as our TOR to Splunk indexer gateway on the receiving end.
  6. Set Splunk to pickup logs etc via the normal inputs.conf methods.

 Final Comments:

That is it and you have torrified Splunk forwarder to Indexer traffic. It would let you collect data from remote sources without exposing to them the actual destination address of your Indexing system.

Keep in mind that TOR itself encrypts the traffic so you could stick with the unencrypted “9997” outputs.conf style setup. Or you could still go all out and generate a new SSL Certificate Authority with ECC certificates and do all the normal certificate root and name validation that you should when setting up SSL for Splunk. If you want to learn more on how to do that come see a talk I am giving with a friend at Splunk .conf 2014 this year.


OSX and Public Wifi – Toggle settings with AppleScript

I like to remind folks when moving their Apple laptop to public wifi that they need to remember to turn off the iLife application sharing such as iTunes and iPhoto. Then turn on their firewall.

So here is an AppleScript that will do just that. It is written and tested on OSX Lion with iLife 11. So you may have to play with it for your version if that is not what you are running.  Keep in mind it is a toggle script.  It will reverse the settings of iPhoto, iTunes sharing and the firewall. So it is assumed you share both with the firewall off when at home.

Also you need to ensure Enable access for assistive devices is checked under Universal Access in System Preference.

Just cut and paste the below script into the AppleScript editor.  Then save either as an application on your desktop you can double click. Or save as an AppleScript where an application like LaunchBar can use it as an action. ~/Library/Application Support/LaunchBar/Actions

Continue reading “OSX and Public Wifi – Toggle settings with AppleScript”

TwitPic – Scraping Exif Data

A couple of days ago Dr. Johannes Ullrich did a real interesting post on scraping gps data from twitpic posted photos from twitter users.  You can read the original post with graphs over at the Internet Storm Center blog. He wrote a couple of perl scripts for use with the exiftags tool.

So I was inspired to do a similar trick without the perl script and using my favorite, Exiftool by Phil Harvey.  So here comes yet another one of my automators for OSX.  You can download it in the zip below.  Just copy the imagecsv.txt to the root of your user home folder.   Then run the automator app.  You can of course edit the app in Automator to see how it works.  It will prompt you for the twitter user name of your target.  Then it goes to twitpic, scrapes their rss feed of all full sized images and runs exiftool on them.  It makes all the output in a folder on your desktop using the twitter user name.  You may alter what fields the exiftool puts to the exifdump.txt file by editing the imagecsv.txt.  It is just a print format file under the rules of exiftool setup to be tab delimited.

Just make sure you have exiftool installed or you wont get the tag dump.  You will end up just getting all the pictures scraped from the user’s rss feed.

OSX Automator – TwitPic – ExifScrape

Social Media & Blogging – Geo Location Sharing

Continuing in the theme of where is your audience.. for knowing where you are the concern is whom you allow to know what level of resolution.


Now I don’t always consistently update my location. Just randomly when the mood hits me. Or when I want to publish it. Sometimes I am other places and leave it on a certain location on purpose. Here is how I handle my geo location information. I start with my iPhone 3GS that has full GPS. On the iPhone I normally use the http://www.brightkite.com/ application because it makes updating my location stream one touch. Next if I have friends that I want to see my exact real location I can give them permissions from Brightkite as long as they have a Brightkite account.


The world at large I would rather just see city general location information. This shows up on my http://www.georgestarcher.com blog and in my twitter location field on my twitter profile. So I let Brightkite and Fireeagle cross control each other. Then I use the superb privacy per application link controls from http://fireeagle.yahoo.net/ to send only city level information to EagleTweet for twitter updating and my blog via a widget. One of the best things about Fireeagle is it requires you to regularly keep your account active for sharing. Think of it as a deadman’s switch. If I fail to renew my authorization it stops all sharing to all apps tied to it. I have my renewal set to require it monthly.


Below is a diagram of the information path.


Trading Privacy for Services

I spotted an article today on a new service for anonymizing your phone number. It lets people you call you while to keeping your number private.  The article is “Anonymize your phone number with LetsCall.Me” over at CNet by Josh Lowensohn  The service lets you hand out a web link and folks can input their number on that page.  The service then connects them to you without them ever knowing your number.  So I have to wonder, where is the hook?  How do they intend to make money?  Every web service is about eventually making money, even indirectly.  It has to be or what is the point?

I actually read the terms of use from LetsCall.Me and find this section curious.

You also grant to LetsCall.Me the right to use your name in connection with the submitted materials and other information as well as in connection with all advertising, marketing and promotional material related thereto. You agree that you shall have no recourse against LetsCall.Me for any alleged or actual infringement or misappropriation of any proprietary right in your communications to LetsCall.Me.

Could this mean your name, number etc are eligible to be sold on a marketing list?  Keep in mind I am NOT saying they ARE doing or WILL do this.  Just that the language makes me think they COULD. I also will say I am not a lawyer.  So best ask yours if in doubt.

The trade off might suit your needs.  I know I am a Google GrandCentral user.  But that service is not open to new subscribers so maybe what LetsCall.Me offers would work for you.  Just consider the implications of any terms of use for any service when handing out information you are intending to protect.

Geo-location Sunday

Today I spent a bit playing with Yahoo’s new Fire Eagle location service. It has some pretty decent privacy controls and it is taking off fast as a junction point for location aware applications. If you sign up for Fire Eagle you can get an automatic invite to Bright Kite which has good sms and email mechanisms for updating your location. It also has decent privacy controls. Such as only close friends see your exact location and everyone else gets the city.

So I tied them together and then tied Brightkite to my twitter location. While I was doing this I was surprised to see how many of my twitter followers have their exact longitude and latitude coordinates updating from their iPhone. I would wager a lot of them did not give a real thought to the privacy concerns. Or that it tells a lot of people when you are definitely not home. Worse, imagine your kids with iPhones and twitter. Raises cyber bullying to a whole new level if the bully can go straight to where they really are.

I would recommend disabling location updates and wipe the current location. Or use something like Fire Eagle/Brightkite to mask your location to a city level where it has value to you.

MobileMe (formerly dotMac) Dynamic DNS

A while back I was messing with tunneling iTunes sharing through SSH.  During that experimentation I noticed that there was a dynamic dns name showing up on my system of my dotMac username in this format: username.members.mac.com  I found it by looking at Bonjour, aka mDNS traffic.  That is kind of scary to think that anyone who knows your @me.com or @mac.com email address or iChat login could find the active IP address you are on just by resolving that name.

I revisited the issue today because I was thinking of the problem with syncing data between iPhone/iPod applications and their desktop mac cousins.  Like syncing 1Password from my desktop to my iPod touch.  They could theoretically leverage my MobileME user dynamic dns name to sync back to my desktop as long as I opened a custom port on my router.  

Interestingly I can no longer resolve username.members.mac.com or username.members.me.com.   So I am not sure if they just haven’t fixed that since the MobileME migration.  Or did they realize the clear scriptable way someone could target mac users.  Toss a dictionary at the front of members.mac.com/members.me.com and fire off an exploit just for Mac users.  *shudder*

Zip Code Annoyance

It seems everywhere I go these days the stores and restaurants pester you for your zip code.  Granted it is better than hitting you up for your phone number like they did the past few years.  But I decided today to start running a test.  I am going to give out 55544 instead of just declining.  That it an invalid zip code.  Let’s see how many places do real input validation on what the person enters into their system.