Let’s follow up on our DNS theme of the last post. I have used my alert scripting to block attackers in the past such as those scanning heavily against SSH. Now I want to start considering emulating the complaint notification one can get from using fail2ban. So let’s start with just adding a simple external command lookup for getting the abuse contact for a given IP address. We will actually use the method found in the fail2ban complain module. So big thanks to them!
We want to have a search like this:
tag=authentication action=failure | stats count values(user) by src_ip | lookup abuseLookup ip AS src_ip
Once you add the transforms and python script below the command should work in Splunk. Keep in mind like the dnsLookup this has to happen on any search heads that will need it. I also have not yet worked on making this handle ipv6 which abusix.com can do with the lookups. The new abuseLookup will return a field to your events called abusecontact. Then you can use that how you want in reporting events.
First edit your transforms.conf to add this stanza:
external_cmd = abuseLookup.py ip abusecontact
fields_list = ip, abusecontact
Now create the python script abuseLookup.py in $SPLUNK_HOME/etc/system/bin/
# This uses the https://abusix.com/contactdb.html to lookup abuse contacts based on how fail2ban operates.
# This requires the dig command
ipOctects = ip.split('.')
address = '.'.join(reversed(ipOctects)) + '.abuse-contacts.abusix.org'
cmd = 'dig +short -t txt -q '+address
abuseemail = abuseemail[1:-2]
if len(sys.argv) != 3:
print "Usage: python abuseLookup.py [ip field] [abuse email]"
ipfield = sys.argv
abusecontact = sys.argv
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
for result in r:
result[abusecontact] = getAbuse(result[ipfield])