tag:blogger.com,1999:blog-2382366207824767968.post6924840910220312139..comments2023-07-25T06:57:29.424-04:00Comments on red|blue: Automating APT Scanning with Loki Scanner and SplunkUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-2382366207824767968.post-15481619535992803582017-09-14T05:26:31.333-04:002017-09-14T05:26:31.333-04:00Take a closer look at this site for some interesti...Take a closer look at <a href="https://cellspyapps.org/track-someones-phone/" rel="nofollow">this</a> site for some interesting info on monitoring applicationsOliver Mauricehttps://www.blogger.com/profile/04236634701560566792noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-82220656416230563462017-06-05T06:05:25.499-04:002017-06-05T06:05:25.499-04:00Another thing that people may not realize is that ...Another thing that people may not realize is that deploying this will result in a permanent artifact on the system (permanent until you remove the app from the deployment server or disable it on the systems, anyways). That may be undesirable in some environments.Anonymoushttps://www.blogger.com/profile/01400021421966649056noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-35970873103010866442017-04-17T23:12:51.001-04:002017-04-17T23:12:51.001-04:00These are great points, thank you for sharing.These are great points, thank you for sharing.David Wellshttps://www.blogger.com/profile/03535045229479020690noreply@blogger.comtag:blogger.com,1999:blog-2382366207824767968.post-69763579144049938582017-04-17T21:39:18.898-04:002017-04-17T21:39:18.898-04:00I really like this concept and as a long-time secu...I really like this concept and as a long-time security professional/splunk admin, I figured I'd share a few notes... <br /><br />I tested this idea once a few months back and it has some drawbacks depending on your environment. First off, deploying scripted inputs has limitations - namely in scheduling. You are limited to the interval schedule (which is based on the last restart of the UF service meaning that any future restart will spawn a loki scan) or a cron schedule (meaning all of your targeted systems will run a scan at the same time). The scans themselves can be intensive, enough so that you wouldn't want it running simultaneously on all systems.<br /><br />One issue I noticed in the above walkthrough is the use of the deployment server's web GUI to assign clients to server classes and apps. In testing, you might see that, but in practice I haven't seen that often. Deployment server configurations tend to get complex pretty quick and the complexity causes the assignment GUI to be disabled. In my case, this would imply manually updating a config file, checking into a git repo, pulling the repo down and syncing the deployment server, and then reloading the deployment server. You'd have to do this anytime you wanted to update the signatures or any components of the app.<br /><br />Another thing that people may not realize is that deploying this will result in a permanent artifact on the system (permanent until you remove the app from the deployment server or disable it on the systems, anyways). That may be undesirable in some environments.<br /><br />The other thing that should be pointed out for anyone using Splunk but not familiar with the backend configurations... Props and transforms files can exist on any splunk instance but depending on the actions taken by the configs will determine where they should actually exist. For example, the transforms used here are performing nullRouting and those need to go to indexers and/or heavy forwarders. The props line breaking/merging and timestamp stuff also need to go to the heavy forwarders/indexers. However, the extraction lines are for the search heads. It's an important distinction to make because these systems may not be controlled by the deployment server (typically not but definitely not when using search head/indexer clustering).<br /><br />Anyway, just wanted to share. I think this is a great concept but want to make sure the drawbacks for an enterprise-wide deployment are noted.<br />Anonymousnoreply@blogger.com