IP360 and Splunk – Part 1

Introduction

Over the last several months I’ve been working towards becoming a Splunk Certified Architect.  To prepare, I wanted additional hands-on practice and tried to think of ways I could apply all the techniques I had learned in my classes.

I happened to have a lot of experience using the Tripwire IP360 (formerly nCircle) vulnerability management system.  Over the last couple of years I’ve worked on a script that utilizes their API to pull out all sorts of interesting information including vulnerability scan data and overall system health data.  I figured that I could update this script to output Splunk-friendly data, configure Splunk to monitor these logs, and then create some neat reports and dashboards.

This would accomplish two goals:

      1. Add functionality to my IP360 script that others might find useful.
      2. Learn the ins and outs of configuring Splunk: how to ingest data, how to create queries, and how to create reports.

IP360 Scoring

I didn’t have high expectations and wasn’t sure what these reports would ultimately look like. As a starting point, I reviewed some of the old reports I had manually created for past clients. These reports included information such as:

  • Enterprise Average Scores
  • Top Vulnerabilities by Impact
  • Top Hosts by Score

For those unfamiliar, IP360 uses an integer-based scoring system to rate each vulnerability as opposed to the typical classification of critical, high, medium, and low. In IP360, the higher the score, the more dangerous a vulnerability is.  The score takes into account how easy a vulnerability is to exploit, how long it has existed, if there’s a patch available, etc.  So a vulnerability with a score of 1000 is much worse than one scored as 75.  Many networks use this scoring system to prioritize their patch remediation efforts.

Personally, I think the best way to use this scoring system is to calculate the “impact” values. The formula for calculating impact is simply:

Impact = Vulnerability Score X Number of Affected Hosts

This is a great way to see how much impact each vulnerability has on your network.  So if the total score for your network is 10,000 and one particular vulnerability at a score of 200 exists on 25 machines, this is an impact of 5,000 — half your total network score!  This is definitely the vulnerability you’d want to remediate first.

In addition to vulnerability data, I also thought about what kind of health data I’d like to know about the system. Things like:

  • Database backups
  • Scan status
  • Disk usage

IP360 Tools

Taking this into account, I reviewed my IP360 script, dubbed “IP360 Tools” (I’m open to slicker names if anyone has suggestions) and started tinkering around to see what data I could pull. After much thought and hours of debugging, I came up with a script that does the following:

  • Device Profiler Status: this is what IP360 calls its scanners
  • Scan Profile Status: the configurations for each IP360 scan
  • Network Configurations: the network ranges to be scanned
  • Scan Status: the status of a scan including failed, finished, cancelled, etc
  • VnE Status: status of the main IP360 console
  • Database Utilization: disk usage
  • Database Last Run Times: various IP360 maintenance functions and when they last ran
  • Authentication Failures: any scans that failed to properly authenticate to a host
  • Distinct Audits: detailed vulnerability scan data for each scanned host
  • Dump ASPL: download a copy of the IP360 vulnerability database

The API gave me access to everything except the database information.  That required some additional python magic to screen scrape the data via the web interface.  My script outputs this data in both human-friendly csv format and Splunk-friendly log format.

[Update – 1/15/2015: Download IP360 Tools]

Below are screenshots of the script in action:

[IP360 Tools help screen]

[IP360 Tools in action]

Here’s some sample output in Splunk-friendly log format:


[02/05/2014 11:22:57] name="DP Status" event_id="10001" vendor="Tripwire" product="IP360" dp_host="ivsecDPEV" dp_ip="192.168.1.215" dp_check-in="01/31/2014 17:51:26" dp_vnetime="02/05/2014 11:23:07" dp_timediff="4 days, 17:31:41" dp_status="Down"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="nCircle: Deep Scan Profile" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="nCircle: Host Inventory" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="nCircle: Ping & Port Scan" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="nCircle: Recommended Sarbanes-Oxley" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="Splunk Scan" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="nCircle: Web Application Scan" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="SCAP: Windows 7" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="WebApp360" sp_status="Active"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="SCAP: Test" sp_status="Inactive"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="Windows - Daily" sp_status="Active"
[02/05/2014 11:22:57] name="Scan Profile Status" event_id="10002" vendor="Tripwire" product="IP360" sp_name="Linux - Daily" sp_status="Active"
[02/05/2014 11:22:57] name="Network Configurations" event_id="10003" vendor="Tripwire" product="IP360" nc_name="Windows" nc_status="Active" nc_include="192.168.1.109, 192.168.1.132" nc_exclude="None"
[02/05/2014 11:22:57] name="Network Configurations" event_id="10003" vendor="Tripwire" product="IP360" nc_name="Linux" nc_status="Active" nc_include="192.168.1.125" nc_exclude="None"
[02/05/2014 11:22:57] name="VnE Status" event_id="10004" vendor="Tripwire" product="IP360" vne_release="7.2.2" vne_aspl="base-3-546,nonpci-3-546,spider-3-546,web-3-546" vne_loadavg="0.11" vne_percentdriveutil="0" vne_timestamp="02/05/2014 17:23:08" vne_uptime="0.0" vne_percentmemory="21" vne_percentdisk="4"
[02/05/2014 11:22:57] name="Database Utilization" event_id="10005" vendor="Tripwire" product="IP360" dbu_used="7.9" dbu_total="177.7" dbu_util="4.45"
[02/05/2014 11:22:57] name="Database Settings" event_id="10006" vendor="Tripwire" product="IP360" dbs_delrecentdata="01/31/2014 05:00:00" dbs_diskusage="01/31/2014 00:05:00" dbs_vacuum="01/31/2014 06:00:00"
[02/05/2014 11:22:57] name="Database Backup" event_id="10007" vendor="Tripwire" product="IP360" dbb_backup="01/31/2014 03:00:00" dbb_diskusage="01/31/2014 00:05:00" dbb_purge="01/31/2014 00:10:01" dbb_push="01/31/2014 00:15:00"
[02/05/2014 11:22:57] name="Database Archive" event_id="10008" vendor="Tripwire" product="IP360" dba_archive="01/31/2014 04:00:00" dba_diskusage="01/31/2014 00:05:00" dba_purge="01/31/2014 00:10:01" dba_push="01/31/2014 00:15:00"
[02/05/2014 11:22:57] name="Database Logfile" event_id="10009" vendor="Tripwire" product="IP360" dbl_diskusage="01/31/2014 00:05:00" dbl_purgesettings="01/31/2014 00:10:01"
[02/05/2014 11:22:57] name="Distinct Audit" event_id="10011" vendor="Tripwire" product="IP360" da_id="11" da_end="01/14/2014 20:24:27" da_hostid="40" da_hostnetbiosname="WIN-7CCVKCFTFV1" da_hostdnsname="192.168.1.114" da_hostnetwork="Windows" da_hostip="192.168.1.114" da_vulnid="552"
[02/05/2014 11:22:57] name="Distinct Audit" event_id="10011" vendor="Tripwire" product="IP360" da_id="11" da_end="01/14/2014 20:24:27" da_hostid="40" da_hostnetbiosname="WIN-7CCVKCFTFV1" da_hostdnsname="192.168.1.114" da_hostnetwork="Windows" da_hostip="192.168.1.114" da_vulnid="1225"
[02/05/2014 11:22:57] name="Distinct Audit" event_id="10011" vendor="Tripwire" product="IP360" da_id="11" da_end="01/14/2014 20:24:27" da_hostid="40" da_hostnetbiosname="WIN-7CCVKCFTFV1" da_hostdnsname="192.168.1.114" da_hostnetwork="Windows" da_hostip="192.168.1.114" da_vulnid="1343"
[02/05/2014 11:22:57] name="Distinct Audit" event_id="10011" vendor="Tripwire" product="IP360" da_id="11" da_end="01/14/2014 20:24:27" da_hostid="40" da_hostnetbiosname="WIN-7CCVKCFTFV1" da_hostdnsname="192.168.1.114" da_hostnetwork="Windows" da_hostip="192.168.1.114" da_vulnid="1492"
[02/05/2014 11:22:57] name="Distinct Audit" event_id="10011" vendor="Tripwire" product="IP360" da_id="11" da_end="01/14/2014 20:24:27" da_hostid="40" da_hostnetbiosname="WIN-7CCVKCFTFV1" da_hostdnsname="192.168.1.114" da_hostnetwork="Windows" da_hostip="192.168.1.114" da_vulnid="6128"
[02/05/2014 11:22:57] name="Distinct Audit" event_id="10011" vendor="Tripwire" product="IP360" da_id="11" da_end="01/14/2014 20:24:27" da_hostid="40" da_hostnetbiosname="WIN-7CCVKCFTFV1" da_hostdnsname="192.168.1.114" da_hostnetwork="Windows" da_hostip="192.168.1.114" da_vulnid="6129"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="11" af_network="Windows" af_type="WMI" af_hostname="192.168.1.114" af_ip="192.168.1.114"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="53" af_network="Windows" af_type="WMI" af_hostname="192.168.1.132" af_ip="192.168.1.132"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="54" af_network="Windows" af_type="WMI" af_hostname="192.168.1.132" af_ip="192.168.1.132"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="86" af_network="Windows" af_type="WMI" af_hostname="192.168.1.109" af_ip="192.168.1.109"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="91" af_network="Windows" af_type="WMI" af_hostname="192.168.1.109" af_ip="192.168.1.109"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="11" af_network="Windows" af_type="RPC DCOM" af_hostname="192.168.1.114" af_ip="192.168.1.114"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="53" af_network="Windows" af_type="RPC DCOM" af_hostname="192.168.1.132" af_ip="192.168.1.132"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="54" af_network="Windows" af_type="RPC DCOM" af_hostname="192.168.1.132" af_ip="192.168.1.132"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="86" af_network="Windows" af_type="RPC DCOM" af_hostname="192.168.1.109" af_ip="192.168.1.109"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="91" af_network="Windows" af_type="RPC DCOM" af_hostname="192.168.1.109" af_ip="192.168.1.109"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="53" af_network="Windows" af_type="SMB" af_hostname="192.168.1.132" af_ip="192.168.1.132"
[02/05/2014 11:22:57] name="Auth Fail" event_id="10012" vendor="Tripwire" product="IP360" af_id="54" af_network="Windows" af_type="SMB" af_hostname="192.168.1.132" af_ip="192.168.1.132"

In Part 2, we’ll take a look at how to get this data into Splunk and what kind of reports and dashboards are possible.

Related Posts

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How-To Guides For The Elastic Stack

Elastic Explained: How-To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

How To Deploy Elastic Agent on macOS with Microsoft Intune

How To Deploy Elastic Agent on macOS with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For Windows, please use my companion guide. Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security...

Transform Your Business & Operate at Peak Efficiency