Splunk Alert Scripts – Automating Control

A big thanks to the members of the @SplunkDev team that were helpful and patient with my questions while I pulled this together. Thanks Guys: @gblock, @damiendallimore‎ and David Noble

In Splunk circles, you often hear about the holy grail of using Splunk to actively control other systems. It can be hard to find details or good examples on HOW to do it. I am always working on something new that deepens my technical skills. I had not previously dealt with REST APIs or Splunk alert scripts and this post is the result. Used well you can replace manual daily operations tasks; changing Splunk from a tool into a team member.

We will cover a working example of using Splunk alert results to update a Google Spreadsheet via the Drive Python SDK. Once you understand how it works, you can make you own controls of any system that supports REST API calls such as an Intrusion Prevention System to block a list of IP addresses using a scheduled Splunk alert.

We will leverage a Splunk blog post on saving credentials in a Splunk App to avoid leaving our Google credentials hard coded and exposed in the alert script. It turns out alert scripts work in the same way but it is not well documented. I built a Python class for retrieving those credentials from Splunk so you could re-use the code across many alert scripts. The scripts can all be found in the supporting GitHub repo. You will be able to use these as a framework for your own alert scripts to drive actions in other systems. I will not be stepping through the code itself as it is fairly well commented. There are plenty of moving parts to this so you need to be an experienced Splunk administrator to get it working. The benefit is that once you get one working you can just make new variants with little effort.


Continue reading “Splunk Alert Scripts – Automating Control”

crowbarPGP – Version 1.0.1

I have finally released my crowbarPGP Cocoa application.  Included in the Install DMG you can download below is a folder called Extras.  I put several OSX Automators in it that I have found useful or mentioned in other blog posts.  You can edit them in Automator to see how they work.

I also added a new preference that lets you choose not to growl notify the found password while still getting a notification.  Soon I will add that to the other crowbar apps.  I also finally fixed the code to automatically ignore the carriage return character that comes from dictionary files originating on the Windows OS.  This too I will shortly add to the other crowbar apps and release through the auto updates mechanism.

crowbarPGP is a dictionary attack tool for cracking PGP (www.pgp.com) Whole Disk Encryption and PGD virtual PGP Disk files.  It requires 10.5 or 10.6 OSX.  One key thing. I included the PGD attack feature.  However I found a memory leak in the pgpdisk command last year.  I informed PGP of it and provided them the backup material.  Unfortunately my contact is no longer with PGP and the memory leak is still there in the recent v10.0 PGP for Mac OSX.  So I strongly suggest you do not use that feature until they patch it.  When they do I will post a blog update and likely do a small version increment to the program through the automatic updates feature.

Thanks again to Paul Figgiani for his patience in making GUI layout and improvement suggestions.

Thanks as well to the following code and frameworks:

crowbarPGP - Download

Tutorial – Quartz Composer and Image Units in Xcode

I gave myself a crash course this weekend.  I mainly wanted to be able to make plugins for fun in Pixelmator.  But turns out you can use things in iChat and Photobooth live.  It was a bit of a fun uphill battle to actually figure out a repeatable process.  So I wrote one.  You can download my Image Units Tutorial in PDF.

I cover Prototyping in Quartz Composer, moving it to an Image Unit and compile it in Xcode.  I toss in how to add a user input and even found a blog post on the Internet on how to ensure your IU puts out an image with defined dimensions.


crowbar Apps maintenance update 1.0.2

I dropped v1.0.2 of both crowbarDMG and crowbarKC into the automatic update feed.  Please just run the applications and choose Check for Updates or allow automatic updates to run.

This update fixes where I was not stripping the carriage return characters from windows CRLF formatted text files used as dictionaries.  It would cause the program to appear it was properly checking passwords but never find the correct password due to the extra CR character.

Xcode – Organization Name in Code Header

I did find out something at the Big Nerd Ranch interesting.  Xcode does not always pick up your company name properly from your address book entry.  It should pick up your name, company etc and fill in the standard header and copyright info as you make new source code files.   But it fails a lot of the time.

So here is how you fix it to show your organizational name for good.

Open up terminal.  Replace the word ORGNAME with whatever you want to show for who the code is copyrighted to.  This is all one line to enter into the terminal prompt.  It is going to simply edit a plist preference value setting.  Nothing major.

defaults write com.apple.xcode PBXCustomTemplateMacroDefinitions ‘{ ORGANIZATIONNAME = “ORGNAME”;}’

Big Nerd Ranch – ObjectiveC and Cocoa Programming

Well I had a really fun time attending the ObjectiveC/Cocoa programming bootcamp from Big Nerd Ranch.  I went in with seriously rusty programming skills.  I probably have not looked at C code more than casually in over ten years.  But I made a small effort to start going through Aaron Hillegass’ third edition Cocoa programming book before I went.  I just could not get far into it on my own with home, work etc taking up time.  So I just made the conscious decision to relax and remember I was doing this for myself.  Not for work.  Not for yet another certification.  But for fun.

I actually drove down.  That Friday my wife finally got to user her Christmas present from last year.  Ten laps driving a racecar at Talladega. That worked out real well.  Because it was only a 40 minute drive tops from there to Banning Mills for the class.

It was strangely relaxing at class because my blackberry only could get signal on the hill leading up to my cabin from the main building.  So basically once a day I checked my berry and made a phone call or two. Some days not at all.  We did have Internet in the class room.   There was wireless at our cabins but it was spotty due to the fact they use a partial directional panel antenna at the main building pointing toward the various cabin areas.  Not the best wireless design in the world.  Honestly after a long day of class.   Some personal project coding after dinner you had no brain power left when you got to your room for more computer stuff.  You would just crash.

Each day I got up around 730am, got ready and walked down to the main building by 8am.  I would get my laptop setup and ready for class.  Let it check email and pull down twitter updates.  At 830am promptly we would have breakfast.  Class started right at 9am and ran till lunch.  After lunch came more class.  At about 230pm each day we went for the daily 30 minute hike.  More class till dinner.  After dinner you could come back to the class room and catch up on exercises or work on a personal project.  Aaron would answer any questions you had and point you in the right direction.  

One of the guys, Ryan C. Payne, from class took photos of everything at class.  So I did not break out my own camera.  You can check them out over in his mobileMe gallery.  Check the one out with the whole class on the last set.  Who knew ObjectiveC nerds had their own gang sign?  Of course is has to be the square brackets. “[]”  

It was a great time for everyone.  It really helped me get back up to speed to the point I can write code on my own on the mac.

Xcode v3

Last night I decided my discretionary time would be spent on starting with xcode to get started toward my bootcamp in October.  The more I learn before then the more I will get out of the camp.  I was using Aaron Hillegass’ Second Edition Cocoa book.  Of course Apple had to change how you create and associate classes to objects in the GUI builder.  I found once I went through Apple’s own tutorial example that I was able to automatically adapt the process in the book to how xcode v3 works.   Was pretty fun once I got it straight in my head.  There is still so much to learn and I doubt I will ever be up to a professional programmer level.  I am just hoping to get proficient enough to make some ideas I have had.  Making a few cocoa front ends for some good security tools would be cool too.I want to get all the way through this second edition book.  Then the couple of others I have.  Aaron’s third edition is coming out sometime soon.  Likely, I will get that and go through it once before October.

Moseying down to the Big Nerd Ranch

I decided to do something interesting with my bonus from work this year.  Well bonus plus saving till September.   Instead of adding yet another certification I decided to modernize my coding skills.  In October I am going to go down to the Big Nerd Ranch for the Objective C/Cocoa Bootcamp.  All my own dime and vacation time.  Heck after 11 years at the same place I have over 4 weeks of vacation saved up that I have to use this year.  If work benefits, great, if not then I can do some things I have been wanting to code up for a few years.  My seat is reserved and its an easy drive over to the Atlanta area when the time comes.  It should be intense but fun.  I have always enjoyed bootcamp environments.   Plus I have a stock of books to read in plenty of time before October.