Continuing with the Splunk dashboards, let's add a panel for parsed ARPWatch logs
Sample ARPWatch Log Message
Apr 14 16:05:49 192.168.0.1 Apr 14 20:05:08 kernel: arp: 192.X.X.11 moved from 24:77:03:32:55:30 to 88:53:2e:50:9d:3f on dc0
This message shows that the MAC Address for IP 192.X.X.11 has changed. This is significant as it can help to detect ARP Spoofing
Our Search Filter:
host="pfsense_firewall" arp: | rex field=_raw "arp:\s(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\smoved\sfrom\s(?<before_mac>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\sto\s(?<after_mac>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\son\s(?<interface>.*)" | stats count by ip_address, before_mac, after_mac, interface
Our Results
Being able to track changing MAC Addresses may help you identify missconfigured and or malicious hosts in your network.
----- Updated on January 11, 2020 -------
I received a log from a reader who was unable to extract fields from it seems a different log produced by PFSense. Here is that log:
"Jan 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc"
I then duplicated this log to have a few entries:
"Dec 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc
Jan 11 17:49:20 192.168.11.25 Jan 11 17:49:20 arpwatch: bogon 169.254.20.39 2c:fd:a1:3d:4b:dc
Mar 11 17:49:20 192.168.9.254 Jan 11 17:49:20 arpwatch: bogon 169.254.5.39 2c:fd:a1:3d:4b:dc
Jun 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc
Jan 11 17:49:20 192.168.11.25 Jan 11 17:49:20 arpwatch: bogon 169.254.20.39 2c:fd:a1:3d:4b:dc
Jul 11 17:49:20 192.168.9.254 Jan 11 17:49:20 arpwatch: bogon 169.254.5.39 2c:fd:a1:3d:4b:dc"
Below is the new extraction:
"source="/opt/bro/logs/current/arpwatch.log" | rex field=_raw "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*bogon\s+(?<bogon_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<mac_address>.*)" | stats count by ip_address, bogon_ip, mac_address"
Here is the output from that filter:
See you in the next post where we parse DHCP Logs
In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs
Thanks Nasreen! I do appreciate your comments.
ReplyDeleteHi Nik ,
ReplyDeleteI think arpwatch is not working as well the log show as below in
Jan 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc
Thanks
I see what the problem is. This is a different log from the example, I have above. However, try this filter:
Delete"source="/opt/bro/logs/current/arpwatch.log" | rex field=_raw "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*bogon\s+(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?.*)" | stats count by ip_address, bogon_ip, mac_address".
I was able to extract the fields in this log with the above. The new new image above. I could not add it to the comment
Let me know if the update above helps.
DeleteUnfortunately doesn't show anything
ReplyDeleteIf I had to guess, I would say it is one out of two things going wrong here.
Delete1. You copied what I have above exactly as is and pasted it in Splunk. If you did it will not work. For example "source="/opt/bro/logs/current/arpwatch.log" is not going to work for you. Simply because I don't expect your source to be the same. You should consider changing your source.
2. There were no events for the period you choose. Were you able to see events before executing the command above? If you can see events for those logs, this should work just as I showed above.
If you still have a problem, let me know. However, my hope is this helps you to resolve it.
Regards
Nik
Thanks for getting back to me , actually I have already changed the source but still can't fetch the log , probably the second reason, I will check and let you know :)
ReplyDeleteGreat article regardless
Thanks and don't hesitate to reach out if you still have issues.
Delete