To use the CIRCL Passive SSL service, you will be required to have a valid account which should be asked to the CIRCL directly through the following page https://www.circl.lu/services/passive-ssl/.
Detailled information about the service can also be found on the above page.
After downloading this app, install it like any other app, either through the WebUI, either through the command line, it's up to you.
Then, you will need to edit the file pssl_lookup.py
located in $SPLUNK_HOME/etc/apps/pssl/bin/
You only need to edit this file to configure your service account. For example, if your account username is "John" and your password is "1234567", proceed as follow:
Change this:
username = "<YOUR USERNAME>"
password = "<YOUR PASSWORD>"
To this:
username = "John"
password = "1234567"
Save and quit. You are done with the setup!
This app provides two scripted lookups :
`pssl_resolve(hostname)`
This lookup is a simple and naive hostname resolver to get the IPv4 address of the provided hostname. In case of failure, None is returned.
It's not directly linked to the Passive SSL service offered by CIRCL, but quite mandatory practically speaking because the Passive SSL service only works with IPv4 addresses as input.
The lookup notation is as follow:
... | lookup pssl_resolve_lookup domain as <your_field>
`pssl(cidr)`
This lookup is what will query the CIRCL Passive SSL service. As input you can have either an IPv4 or either a CIDR notation (ex: 192.168.1.1/28). Note that at this moment the API do not handle mask lower than /23.
The lookup notation is as follow:
... | lookup pssl_lookup cidr as <your_field>
In this example, we will assume Proxy logs. Those logs will contains a field named cs_method
describing the HTTP method used and cs_uri
which contains the requested page.
The query will be the following:
CONNECT
method, relevant of SSL connections.cs_uri
which contains the url destinationut_parse_simple
, see below)ut_netloc
created by UTBoxrtrim()
The query:
sourcetype="proxy" cs_method="CONNECT" cs_uri=* NOT cs_uri=-
| fields cs_uri
| stats count by cs_uri
| `ut_parse_simple(cs_uri)`
| fields ut_netloc
| eval netloc=rtrim(ut_netloc, ": 0123456789")
| `pssl_resolve(netloc)`
| search ip != None
| `pssl(ip)`
| table netloc ip circl_pssl
Notes:
Steps 7 and 9 can significally slow down your whole query as each time an event enter those lookups, a query to Internet is made.
UTBox is available here: https://splunkbase.splunk.com/app/2734/
Created by Splunk Security Practice
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.