Gov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGo
v&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&
.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.i
nfoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.inf
oGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoG
ov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov
&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.
infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.in
foGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.info
Gov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGo
v&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&
.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.i
nfoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.inf
oGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoG
ov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov&.infoGov
#!/bin/bash
/
/Home
/What is my IP
Splunk - Sonicwall project
[2015-03-01]

Purpose: Using Splunk alert to block attacker IP in Sonicwall

This project was a challenge that needed multiple parts to work, first needed to create a script that can program Sonicwall, then had to make Splunk output attacker IP to a script, then the script take the input IP and program the sonicwall to block it.

Steps:
Splunk: configure splunk to filter attacks, you need to extract the attacker IP from the result, I have extracted a new field named it : src_ip


and the results piped to a table showing the src_ip only, this way we will get the attacker IP for the event when it happen, these are some example:

host="192.168.0.1" denied login | table src_ip
host = 192.168.0.1 tcp scan | table src_ip

Save As Alert

Put a Title, and use Alert type: Real Time if you want to block attackers in realtime, then Next



Configure your alert, check "run script" and put the script name, mine is: block.sh, upload the script to your splunk server and put it in this directory: $Splunk_home/bin/scripts , $Splunk_home is where you splunk is installed, then Save


When an alert triggered, Splunk run the script and send some information with it,  the useful one for us is ARG_8, which is path to gz file with alert result, here are all output variables:

#0      SPLUNK_ARG_0    Script name
#1      SPLUNK_ARG_1    Number of events returned
#2      SPLUNK_ARG_2    Search terms
#3      SPLUNK_ARG_3    Fully qualified query string
#4      SPLUNK_ARG_4    Name of report
#5      SPLUNK_ARG_5    Trigger reason For example, "The number of events was greater than 1."
#6      SPLUNK_ARG_6    Browser URL to view the report.
#7      SPLUNK_ARG_7    Not used for historical reasons.
#8      SPLUNK_ARG_8    File in which the results for the search are stored. Contains raw results.

The tricky part for me was: how you extract the attacker IP from the .gz file generated by the alert? easily found using google perl scripts but then needed to change rest of my script to perl, tried to run sonicwall configurtion part from perl, it worked manually but with Splunk alert it did not work.

Here what I come up with after hours of research:

IP2=$(gunzip -c $8 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')

Here I am retrieving the ARG_8 which is $8, using gunzip to output the content and pipe to grep which use extended regexp. to retrive the IP only.

The shell script will get the retrieved IP and login to the sonicwall to add the IP to a group "blockx", the script will create the group if it was existing.

My script is based on : https://gist.github.com/rbewley4/7758687

You will need to install "expect" if it is not installed, for ubuntu (debian) you can use: apt-get install expect

You should use admin account in the script.

In the Sonicwall, add a firewall rule to block and access for the objects in group "blockx"


Leave it to run for some time!!


Result:

Splunk:


Sonicwall:


Here is the sonicwall configuration script, block.sh:

# Splunk - sonicwall
# By Govand Sinjari 10 Oct 2014, full working version 21 Feb 2015
# install expect: apt-get install expect
# usage: ./block.sh ARGV[8]
# Splunk - Access arguments to scripts that are run as an alert action
#Arg    Environment Variable    Value
#0      SPLUNK_ARG_0    Script name
#1      SPLUNK_ARG_1    Number of events returned
#2      SPLUNK_ARG_2    Search terms
#3      SPLUNK_ARG_3    Fully qualified query string
#4      SPLUNK_ARG_4    Name of report
#5      SPLUNK_ARG_5    Trigger reason For example, "The number of events was greater than 1."
#6      SPLUNK_ARG_6    Browser URL to view the report.
#7      SPLUNK_ARG_7    Not used for historical reasons.
#8      SPLUNK_ARG_8    File in which the results for the search are stored. Contains raw results.

#!/bin/bash
IP=192.168.0.1
password=pass
login=adminuser

IP2=$(gunzip -c $8 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')

# This is for test only, to check if you alert is working
echo "`date` ARG0='$0' ARG1='$1' ARG2='$2' ARG3='$3' ARG4='$4' ARG5='$5' ARG6='$6' ARG7='$7' ARG8='$8' IP='$IP2'"  >> "/home/x/Downloads/block.out"

# +whatever variables you need to use

# Run the expect script from bash
expect_sh=$(expect -c "
spawn ssh $login@$IP
expect \"password:\"
send \"$password\r\"

# This is to accept the ssh cert prompt, needed only first time
send \"yes\r\"
expect \"#\"

send \"configure\r\"
expect \"#\"

send \"yes\r\"
expect \"#\"

send \"address-object ipv4 bad_$IP2 host $IP2 zone WAN\r\"
expect \"#\"

send \"address-group ipv4 blockx\r\"
expect \"#\"

send \"address-object ipv4 bad_$IP2\r\"
expect \"#\"

send \"exit\r\"
expect \"#\"

send \"exit\r\"
expect \"#\"

send \"yes\r\"
expect \"#\"

send \"exit\r\"
")

# Output or do something with the results
echo "$expect_sh"