Sunday, May 3, 2015

PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs


Continuing with the Splunk dashboards, let's add a panel for parsed ARPWatch logs

Sample ARPWatch Log Message
Apr 14 16:05:49 192.168.0.1 Apr 14 20:05:08 kernel: arp: 192.X.X.11 moved from 24:77:03:32:55:30 to 88:53:2e:50:9d:3f on dc0

This message shows that the MAC Address for IP 192.X.X.11 has changed. This is significant as it can help to detect ARP Spoofing


Our Search Filter:
host="pfsense_firewall" arp: | rex field=_raw "arp:\s(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\smoved\sfrom\s(?<before_mac>[A-Fa-f0-9]{2}:[
A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\sto\s(?<after_mac>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})\son\s(?<interface>.*)" | stats count by ip_address, before_mac, after_mac, interface

Our Results


Being able to track changing MAC Addresses may help you identify missconfigured and or malicious hosts in your network.



----- Updated on January 11, 2020 -------
I received a log from a reader who was unable to extract fields from it seems a different log produced by PFSense. Here is that log:

"Jan 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc"

I then duplicated this log to have a few entries:

"Dec 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc
Jan 11 17:49:20 192.168.11.25 Jan 11 17:49:20 arpwatch: bogon 169.254.20.39 2c:fd:a1:3d:4b:dc
Mar 11 17:49:20 192.168.9.254 Jan 11 17:49:20 arpwatch: bogon 169.254.5.39 2c:fd:a1:3d:4b:dc
Jun 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc
Jan 11 17:49:20 192.168.11.25 Jan 11 17:49:20 arpwatch: bogon 169.254.20.39 2c:fd:a1:3d:4b:dc

Jul 11 17:49:20 192.168.9.254 Jan 11 17:49:20 arpwatch: bogon 169.254.5.39 2c:fd:a1:3d:4b:dc"


Below is the new extraction:
"source="/opt/bro/logs/current/arpwatch.log" | rex field=_raw "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*bogon\s+(?<bogon_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<mac_address>.*)" | stats count by ip_address, bogon_ip, mac_address"

Here is the output from that filter:














See you in the next post where we parse DHCP Logs

In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

8 comments:

  1. Hi Nik ,

    I think arpwatch is not working as well the log show as below in


    Jan 11 17:49:20 192.168.10.254 Jan 11 17:49:20 arpwatch: bogon 169.254.39.39 2c:fd:a1:3d:4b:dc

    Thanks

    ReplyDelete
    Replies
    1. I see what the problem is. This is a different log from the example, I have above. However, try this filter:
      "source="/opt/bro/logs/current/arpwatch.log" | rex field=_raw "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*bogon\s+(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?.*)" | stats count by ip_address, bogon_ip, mac_address".

      I was able to extract the fields in this log with the above. The new new image above. I could not add it to the comment

      Delete
  2. Unfortunately doesn't show anything

    ReplyDelete
    Replies
    1. If I had to guess, I would say it is one out of two things going wrong here.

      1. You copied what I have above exactly as is and pasted it in Splunk. If you did it will not work. For example "source="/opt/bro/logs/current/arpwatch.log" is not going to work for you. Simply because I don't expect your source to be the same. You should consider changing your source.

      2. There were no events for the period you choose. Were you able to see events before executing the command above? If you can see events for those logs, this should work just as I showed above.

      If you still have a problem, let me know. However, my hope is this helps you to resolve it.

      Regards
      Nik

      Delete
  3. Thanks for getting back to me , actually I have already changed the source but still can't fetch the log , probably the second reason, I will check and let you know :)
    Great article regardless

    ReplyDelete