Let’s follow up on our DNS theme of the last post. I have used my alert scripting to block attackers in the past such as those scanning heavily against SSH. Now I want to start considering emulating the complaint notification one can get from using fail2ban. So let’s start with just adding a simple external command lookup for getting the abuse contact for a given IP address. We will actually use the method found in the fail2ban complain module. So big thanks to them!
We want to have a search like this:
tag=authentication action=failure | stats count values(user) by src_ip | lookup abuseLookup ip AS src_ip
Once you add the transforms and python script below the command should work in Splunk. Keep in mind like the dnsLookup this has to happen on any search heads that will need it. I also have not yet worked on making this handle ipv6 which abusix.com can do with the lookups. The new abuseLookup will return a field to your events called abusecontact. Then you can use that how you want in reporting events.
First edit your transforms.conf to add this stanza:
1 2 3 |
[abuseLookup] external_cmd = abuseLookup.py ip abusecontact fields_list = ip, abusecontact |
Now create the python script abuseLookup.py in $SPLUNK_HOME/etc/system/bin/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
#!/usr/bin/env python # This uses the https://abusix.com/contactdb.html to lookup abuse contacts based on how fail2ban operates. # https://github.com/fail2ban/fail2ban/blob/master/config/action.d/complain.conf # Dependancies: # This requires the dig command import csv import sys import string import subprocess import shlex def getAbuse(ip): ipOctects = ip.split('.') address = '.'.join(reversed(ipOctects)) + '.abuse-contacts.abusix.org' try: cmd = 'dig +short -t txt -q '+address proc=subprocess.Popen(shlex.split(cmd),stdout=subprocess.PIPE) abuseemail,err=proc.communicate() abuseemail = abuseemail[1:-2] return abuseemail except: return [] def main(): if len(sys.argv) != 3: print "Usage: python abuseLookup.py [ip field] [abuse email]" sys.exit(1) ipfield = sys.argv[1] abusecontact = sys.argv[2] infile = sys.stdin outfile = sys.stdout r = csv.DictReader(infile) header = r.fieldnames w = csv.DictWriter(outfile, fieldnames=r.fieldnames) w.writeheader() for result in r: result[abusecontact] = getAbuse(result[ipfield]) if result[abusecontact]: w.writerow(result) main() |
One Reply to “Splunk a DNS Lookup for Abuse Contacts”
Comments are closed.