Splunk a DNS Lookup for Abuse Contacts

Let’s follow up on our DNS theme of the last post. I have used my alert scripting to block attackers in the past such as those scanning heavily against SSH. Now I want to start considering emulating the complaint notification one can get from using fail2ban. So let’s start with just adding a simple external command lookup for getting the abuse contact for a given IP address. We will actually use the method found in the fail2ban complain module. So big thanks to them!

We want to have a search like this:
tag=authentication action=failure | stats count values(user) by src_ip | lookup abuseLookup ip AS src_ip

Once you add the transforms and python script below the command should work in Splunk. Keep in mind like the dnsLookup this has to happen on any search heads that will need it. I also have not yet worked on making this handle ipv6 which abusix.com can do with the lookups. The new abuseLookup will return a field to your events called abusecontact. Then you can use that how you want in reporting events.

First edit your transforms.conf to add this stanza:

[abuseLookup]
external_cmd = abuseLookup.py ip abusecontact
fields_list = ip, abusecontact

[abuseLookup]

external_cmd = abuseLookup.py ip abusecontact

fields_list = ip, abusecontact

Now create the python script abuseLookup.py in $SPLUNK_HOME/etc/system/bin/

#!/usr/bin/env python

# This uses the https://abusix.com/contactdb.html to lookup abuse contacts based on how fail2ban operates.
# https://github.com/fail2ban/fail2ban/blob/master/config/action.d/complain.conf

# Dependancies:
# This requires the dig command


import csv
import sys
import string
import subprocess
import shlex

def getAbuse(ip):

       ipOctects = ip.split('.')
       address = '.'.join(reversed(ipOctects)) + '.abuse-contacts.abusix.org'


       try:
               cmd = 'dig +short -t txt -q '+address
               proc=subprocess.Popen(shlex.split(cmd),stdout=subprocess.PIPE)
               abuseemail,err=proc.communicate()
               abuseemail = abuseemail[1:-2]
               return abuseemail
       except:
               return []
def main():
       if len(sys.argv) != 3:
               print "Usage: python abuseLookup.py [ip field] [abuse email]"
               sys.exit(1)

       ipfield = sys.argv[1]
       abusecontact = sys.argv[2]

       infile = sys.stdin
       outfile = sys.stdout

       r = csv.DictReader(infile)
       header = r.fieldnames

       w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
       w.writeheader()


       for result in r:
               result[abusecontact] = getAbuse(result[ipfield])
               if result[abusecontact]:
                       w.writerow(result)

main()

#!/usr/bin/env python

# This uses the https://abusix.com/contactdb.html to lookup abuse contacts based on how fail2ban operates.

# https://github.com/fail2ban/fail2ban/blob/master/config/action.d/complain.conf

# Dependancies:

# This requires the dig command

import csv

import sys

import string

import subprocess

import shlex

def getAbuse(ip):

ipOctects = ip.split('.')

address = '.'.join(reversed(ipOctects)) + '.abuse-contacts.abusix.org'

try:

cmd = 'dig +short -t txt -q '+address

proc=subprocess.Popen(shlex.split(cmd),stdout=subprocess.PIPE)

abuseemail,err=proc.communicate()

abuseemail = abuseemail[1:-2]

return abuseemail

except:

return []

def main():

if len(sys.argv) != 3:

print "Usage: python abuseLookup.py [ip field] [abuse email]"

sys.exit(1)

ipfield = sys.argv[1]

abusecontact = sys.argv[2]

infile = sys.stdin

outfile = sys.stdout

r = csv.DictReader(infile)

header = r.fieldnames

w = csv.DictWriter(outfile, fieldnames=r.fieldnames)

w.writeheader()

for result in r:

result[abusecontact] = getAbuse(result[ipfield])

if result[abusecontact]:

w.writerow(result)

main()