GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jorritfolmer → TA-dmarc

jorritfolmer / TA-dmarc

Licence: other
Add-on for ingesting DMARC aggregate reports into Splunk

Programming Languages

python
139335 projects - #7 most used programming language

Labels

splunkdmarc

Projects that are alternatives of or similar to TA-dmarc

spring-microservices-in-action
The source code of the book "Spring Microservices in Action (John Carnell)" and the personal summary of technical essentials about Spring Boot for microservices.
Stars: ✭ 54 (+285.71%)
Mutual labels:  splunk
splunk handler
Python logging handler for sending logs to Splunk Enterprise
Stars: ✭ 44 (+214.29%)
Mutual labels:  splunk
splunk-connect-for-syslog
Splunk Connect for Syslog
Stars: ✭ 111 (+692.86%)
Mutual labels:  splunk
kafka-connect-splunk
Kafka Connect connector for receiving data and writing data to Splunk.
Stars: ✭ 25 (+78.57%)
Mutual labels:  splunk
ansible-splunk-playbook
Install a full Splunk Enterprise Cluster or Universal forwarder using an ansible playbook
Stars: ✭ 34 (+142.86%)
Mutual labels:  splunk
TA-bigfix
Splunk technical add-on (TA) for ingesting BigFix client, relay, and server logs. Includes REST inputs for ingesting assets, relevant fixlets, action summaries, and analysis results.
Stars: ✭ 15 (+7.14%)
Mutual labels:  splunk
TA-opnsense
Splunk Add on for OPNsense firewall
Stars: ✭ 13 (-7.14%)
Mutual labels:  splunk
Hermes-Secure-Email-Gateway
Hermes Secure Email Gateway is a Free Open Source Ubuntu 18.04 or 20.04 Server based Email Gateway that provides Spam, Virus and Malware protection, full in-transit and at-rest email encryption as well as email archiving. It features the latest email authentication techniques such as SPF, DKIM and DMARC.
Stars: ✭ 35 (+150%)
Mutual labels:  dmarc
ansible-role-for-splunk
Splunk@Splunk's Ansible role for installing Splunk, upgrading Splunk, and installing apps/addons on Splunk deployments (VM/bare metal)
Stars: ✭ 75 (+435.71%)
Mutual labels:  splunk
mailserver
Simple and full-featured mail server using Docker
Stars: ✭ 88 (+528.57%)
Mutual labels:  dmarc
Kong-API-Manager
Kong API Manager with Prometheus And Graylog
Stars: ✭ 78 (+457.14%)
Mutual labels:  splunk
splunk-otel-js-web
Splunk distribution of Open Telemetry for browser environment.
Stars: ✭ 23 (+64.29%)
Mutual labels:  splunk
fanuc-driver
Configurable Fanuc Focas data collector and post processor.
Stars: ✭ 38 (+171.43%)
Mutual labels:  splunk
config explorer
Config viewer and file editor for Splunk. Based on VSCode.
Stars: ✭ 20 (+42.86%)
Mutual labels:  splunk
TA ETW
Splunk Technology Add-On (TA) for collecting ETW events from Windows systems
Stars: ✭ 17 (+21.43%)
Mutual labels:  splunk
sysmon-splunk-app
Sysmon Splunk App
Stars: ✭ 42 (+200%)
Mutual labels:  splunk
Sigma
Generic Signature Format for SIEM Systems
Stars: ✭ 4,418 (+31457.14%)
Mutual labels:  splunk
mailsec-check
Another utility to analyze state of deployment of security-related email protocols.
Stars: ✭ 37 (+164.29%)
Mutual labels:  dmarc
evtx2json
A tool to convert Windows evtx files (Windows Event Log Files) into JSON format and log to Splunk (optional) using HTTP Event Collector.
Stars: ✭ 38 (+171.43%)
Mutual labels:  splunk
TA-Sysmon-deploy
Deploy and maintain Symon through the Splunk Deployment Sever
Stars: ✭ 31 (+121.43%)
Mutual labels:  splunk
View All Similar Projects ➔

TA-dmarc add-on for Splunk

TA-dmarc add-on for Splunk supports ingesting DMARC XML aggregate reports from an IMAP/POP3 mailbox or local directory with mitigations against:

  • ZIP bombs
  • gzip bombs
  • various XML attack vectors like billion laughs, quadratic blowup, external entity expansion and so on
  • malformed reports
  • false reports (alpha)

Supported Splunk versions and platforms

Splunk version Linux Windows
8.1 Yes Yes
8.2 Yes Yes
9.0 Yes Likely, untested

Additional requirements:

  • Splunk heavy forwarder or cloud IDM instance: Because of Python dependencies Splunk Universal Forwarder is not supported
  • KVstore: used to keep track of which IMAP messages or local files have already been processed. KVstore is enabled by default on Splunk instances.

Upgrading from previous versions

From 3.x to 4.x

  • Upgrade Splunk to at least 8.1.x or higher. Earlier Splunk versions are not suppported starting version 4.0 of the TA-dmarc add-on.

From 2.x to 3.x

The event output format changed to JSON. This is the new default because JSON is a better match for the structured aggregate reports than a flat key=value (KV) format. See for example issue #4 on Github. If you want your inputs to to keep using the KV format:

  • Disable your inputs before upgrading
  • Upgrade the add-on to version 3.x
  • Edit your inputs and change the output format to KV
  • Enable your inputs

Note that KV format output is likely to be deprecated in future versions, and enhancements like multiple XSD validation aren't available in KV output format.

From 1.x to 2.x

Because of changes to KVstore logic, the add-on will re-index every report on IMAP, leading to duplicate events.

Install the TA-dmarc add-on for Splunk

Single instance Splunk deployments

  1. In Splunk, click on "Manage Apps"
  2. Click "Browse more apps", search for "TA-dmarc" and install the add-on

Distributed Splunk deployments

Instance type Supported Required Description
Search head Yes Yes Install this add-on on your search head(s) where CIM compliance of DMARC aggregate reports is required
Indexer Yes No This add-on should be installed on a heavy forwarder that does the index time parsing. There is no need to install this add-on on an indexer too.
Universal Forwarder No No This add-on is not supported on a Universal Forwarder because it requires Python
Heavy Forwarder Yes Yes Install this add-on on a heavy forwarder to ingest DMARC XML aggregate reports into Splunk.

The following table lists support for distributed deployment roles in a Splunk deployment:

Deployment role Supported Description
Search head deployer Yes Install this add-on on your search head deployer to enable CIM compliance of DMARC aggregate reports on a Search Head Cluster
Cluster Master No This add-on should be installed on a heavy forwarder that performs parsing at index time. There is no need to install this add-on on an indexer too.
Deployment Server Depends This add-on can be (1) deployed unconfigured to a client or (2) deployed preconfigured with a directory input. Due to the encrypted credentials it cannot be deployed preconfigured for IMAP inputs.

Configure TA-dmarc add-on for Splunk

Steps:

  1. Add an account
  2. Add an input

If you're using this add-on from a disconnected network, you can skip account creation and create a new directory based input. This assumes you have an offline method for getting DMARC attachments to this directory.

Add an account

In the Configuration tab, create a new account:

  • Account Name: descriptive account name, e.g. google_dmarc_mailbox
  • Username: the account to identify with (or the OAuth2 Client ID)
  • Password: the password to authenticate with (or the OAuth2 Client Secret)

Create global account

Add an input

This add-on can ingest DMARC aggregate reports from:

  • IMAP mailboxes using basic or OAuth2 authentication
  • POP mailboxes using basic authentication
  • Local directories (for offline environments)

Screenshot create new input

DMARC imap/pop input (basic authentication)

Go to the add-on's input tab and configure a new modular input by clicking on the "Inputs" menu:

Screenshot create new input

  • Click "Create new input"
  • Select "DMARC imap" or "DMARC pop3"
  • Configure:
    • Name: e.g. dmarc-google
    • Interval: how often to poll the mailserver for aggregate reports.
    • Index: what Splunk index to send the aggregate reports to
    • Global Account: select the account to authenticate with
    • IMAP server: the imap server to poll
    • Resolve IP: Whether or not to resolve the row source_ip in the DMARC XML aggregate reports
    • Validate XML: Whether or not to validate the DMARC XML against the DMARC XSD
    • Validate DKIM: Whether or not to validate the DKIM signature(s) in the mail
    • IMAP mailbox: Select the specific IMAP mailbox folder to poll. Default: INBOX
    • Output format: Send events to Splunk in JSON format (default) or key=value (left for compatibility reasons)

DMARC imap input (OAuth2 authentication)

Go to the add-on's input tab and configure a new modular input by clicking on the "Inputs" menu:

SCREENSHOT_NEEDED

  • Click "Create new input"
  • Select "DMARC imap OAuth2"
  • Configure:
    • Name: e.g. dmarc-google
    • Interval: how often to poll the mailserver for aggregate reports.
    • Index: what Splunk index to send the aggregate reports to
    • Global Account: select the account to authenticate with
    • IMAP server: the imap server to poll
    • IMAP mailbox: the mailbox to poll. Name format may vary by service, probably the SMTP address will work
    • IMAP folder: the specific mailbox folder to poll. Default: INBOX
    • OAuth2 authority: refer to your service's documentation.
    • OAuth2 scope: refer to your service's documentation.
    • Resolve IP: Whether or not to resolve the row source_ip in the DMARC XML aggregate reports
    • Validate XML: Whether or not to validate the DMARC XML against the DMARC XSD
    • Validate DKIM: Whether or not to validate the DKIM signature(s) in the mail
    • Output format: Send events to Splunk in JSON format (default) or key=value (left for compatibility reasons)

Sample OAuth2 Settings (subject to change)

Service Authority Scope
Office 365 https://login.microsoftonline.com/<TENANT_ID> https://outlook.office365.com/.default
Google

TA-dmarc can fetch DMARC aggregate reports from an IMAP or POP3 server. It will look for:

  1. messages with "Report domain:" in the subject.
  2. attachments with .xml, .zip or xml.gz file extentions
  3. attachments with mime-types:
    • application/zip
    • application/gzip
    • application/x-gzip
    • application/xml
    • text/xml
    • application-x-gzip (Non-standard mimetype used for Comcast DMARC reports)
    • application/x-zip-compressed (Non-standard mimetype used for Yahoo DMARC reports)

The add-on doesn't modify, move or delete messages on the IMAP server but insteads keeps a record in the Splunk KV-store of which mails have already been read.

Resolve IP setting

DMARC XML aggregate reports contain a source_ip that can be reverse resolved at index time. This is the default but can cause considerable delay in processing aggregate reports due to unreachable nameservers. Second, because the reverse DNS record cannot really be trusted, another forward lookup is performed. Only if the reverse and forward lookup match, the result is included in the output.

Validate XML setting

DMARC XML aggregate reports can be validated against multiple DMARC RUA XML schema definition versions (XSD):

  • The XSD from draft-dmarc-base-00-02 (march 2012)
  • The XSD from RFC7489 (march 2015)
  • A custom relaxed XSD that should succesfully verify RFC7489-based reporters and pre-RFC7489 reporters

The result of the validations is added as new event fields in Splunk: vendor_rua_xsd_validations

Validate DKIM setting

DKIM signatures from email messages can be verified. Currently the results of this validation are only available in debug log. Future versions will add a new event field in Splunk.

Directory input

TA-dmarc can watch a folder for new DMARC aggregate reports. This can be useful for loading DMARC reports in non-internet connected environments. It will look for files with extentions:

  1. .xml
  2. .zip
  3. .xml.gz

TA-dmarc doesn't modify, move or delete files in the directory: it uses internal checkpointing to keep track of which files have been previously read. Any invalid .xml, .zip or .xml.gz files are ignored and logged.

  1. Go to the add-on's configuration UI and configure a new modular input by clicking on the "Inputs" menu.
  2. Click "Create new input"
  3. Select "DMARC directory"
  4. Configure:
    • Name: e.g. "production_dmarc_indir"
    • Interval: how often to poll the directory where DMARC XML aggregate reports are read from
    • Index: what Splunk index to send the aggregate reports to
    • Directory: Location where DMARC aggregate reports should be read from
    • Quiet time: Ignore files that have a modification time of less than n seconds ago. You can use this to prevent ingesting large files that are dropped on a network share but take some time to transfer
    • Resolve IP: Whether or not to resolve the raw source_ip in the DMARC XML aggregate reports
    • Validate XML: Whether or not to validate the DMARC XML against the DMARC XSD
  5. Click add

DMARC aggregate reports

Relevant fields within an aggregate report are mapped from the CIM Authentication datamodel, because DMARC is short for "Domain-based Message Authentication ... etc".

Mapping from the Authentication datamodel has the following advantages:

  • DMARC aggregate report results are automatically incorporated in the relevante Splunk Enterprise Security dashboards.
  • Accelerated |tstats searches can be performed against the normalized fields by selecting where All_Authentication.app=dmarc

Authentication datamodel mappings

From the XML sample below, the following values and fields are mapped:

Authentication datamodel field name Value
action failure
app dmarc
dest google.com
signature Use of mail-from domain example.com at google.com
signature_id 13190401177475355109
src resolved.name.if.available.test
src_ip 192.0.2.78
user example.com
eventtype dmarc_rua_spf_only
tag authentication, insecure

DMARC XML sample

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>13190401177475355109</report_id>
    <date_range>
      <begin>1506988800</begin>
      <end>1507075199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>example.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>192.0.2.78</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>example.com</domain>
        <result>fail</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Fields

From the DMARC XML sample above, the following fields are created:

Splunk field value origin
action success CIM
app dmarc CIM
dest google.com CIM
eventtype dmarc_rua_spf_only(authentication insecure) CIM
feedback{}.policy_published.adkim r XML report
feedback{}.policy_published.aspf r XML report
feedback{}.policy_published.domain example.com XML report
feedback{}.policy_published.p none XML report
feedback{}.policy_published.pct 100 XML report
feedback{}.policy_published.sp none XML report
feedback{}.record.auth_results.spf.domain example.com XML report
feedback{}.record.auth_results.spf.result fail XML report
feedback{}.record.identifiers.header_from example.com XML report
feedback{}.record.row.count 1 XML report
feedback{}.record.row.policy_evaluated.disposition none XML report
feedback{}.record.row.policy_evaluated.dkim fail XML report
feedback{}.record.row.policy_evaluated.spf fail XML report
feedback{}.record.row.source_ip 186.32.191.194 XML report
feedback{}.report_metadata.date_range.begin 1506988800 XML report
feedback{}.report_metadata.date_range.end 1507075199 XML report
feedback{}.report_metadata.email [email protected] XML report
feedback{}.report_metadata.extra_contact_info https://support.google.com/a/answer/2466580 XML report
feedback{}.report_metadata.org_name google.com XML report
feedback{}.report_metadata.report_id 13190401177475355109 XML report
signature Use of mail-from domain example.com at google.com CIM
signature_id 13190401177475355109 CIM
src ip-192-0-2-78.pool.someprovider.local Add-on enrichment
src_ip 192.0.2.78 CIM
user example.com CIM
tag authentication, insecure CIM
vendor_rua_xsd_validations. rua_draft-dmarc-base-00-02.xsd.result pass Add-on enrichment
vendor_rua_xsd_validations. rua_rfc7489.xsd.result fail Add-on enrichment
vendor_rua_xsd_validations. rua_rfc7489.xsd.info Element 'report_metadata': This element is not expected. Expected is ( version )., line 3 Add-on enrichment
vendor_rua_xsd_validations. rua_ta_dmarc_relaxed_v01.xsd.result pass Add-on enrichment

Advanced

Checkpointing

The DMARC-imap input saves checkpointing data in KVstore. To see its contents: |inputlookup ta_dmarc_checkpointer_lookup

If you want to reindex an entire mailbox, you can do so by deleting the TA-dmarc KVstore checkpointing data through this Splunk command:

|inputlookup ta_dmarc_checkpointer_lookup
|search state!="*input=dmarc_imap, server=imap.gmail.com*"
|outputlookup ta_dmarc_checkpointer_lookup

If you want to reindex a single DMARC report, you can do so by deleting its corresponding record from KVstore:

| inputlookup ta_dmarc_checkpointer_lookup 
| search state!="*Report-ID: 3596274322387252907*" 
| outputlookup ta_dmarc_checkpointer_lookup

Reindexing a DMARC report from a directory input is left as an excercise for the reader.

Principles

We use the following guidelines for developing this add-on:

Principle Rationale Implication
Data is left intact This add-on only performs data collection. Other apps may perform data aggregation and visualisation based on the output of this add-on and require intact data We don't interpret, alter or omit values. For example we leave the invalid domain AOL uses "not.evaluated" to denote the inability to perform a DKIM check.
Structure is left intact DMARC XML is an hierarchical format We use JSON output. Key=value output will be deprecated in future versions.
Data is enriched where appropriate New fields can be added to provide better context or offer normalization of the existing data XSD validation results and DNS resolutions are are added as additional fields. Compliance with CIM authentication datamodel too.

Troubleshooting

Argument validation for scheme=dmarc_imap: script running failed (killed by signal 9: Killed).

You'll get this error message when Splunk kills the script after 30 seconds of waiting for a successful return. This typically happens when:

  1. the connection to the IMAP or POP3 server times-out, due to a firewall or related network issue.
  2. the IMAP server is too slow or the batch-size is too high to return successfullly within 30 seconds
  3. you're running on Splunk Cloud and haven't yet asked Support to enable outbound IMAPS connections over port 993/tcp

The add-on doesn't appear to do anything after authentication

This happens when the IMAP mailbox contains a large number of messages and the interval is too short. For example: polling a mailbox with 250.000 messages every hour will likely result in the add-on spending its time waiting for the IMAP server to return all messages matching the "Report domain" subject.

Google Mail allows you to "move" incoming messages to a new label, solving this particular issue:

  1. Sign in to GMail. Click the gear icon on the top right to view the Settings. Then, select "See All Settings" in the sidebar that appears.
  2. Go to the "Filters and Blocked Addresses" tab in the Settings and select "Create a New Filter."
  3. In the box that appears, you'll set up the criteria for the emails you want to label. You can enter one or more conditions in the fields such as From, Subject, Has the Words, or Size. Click "Create Filter".
  4. Next, you'll create the action to label the emails. Check the box for Apply the Label and choose the label in the drop-down box. If you want to create a label, pick "New Label", give the label a name, and optionally nest it within an existing label. This automatically creates a folder for the label at the same time.
  5. You can apply other actions if you like, such as Skip the inbox, Mark as Read or Star It. Click "Create Filter"
  6. Once the filter is created, all future emails that match the criteria will receive the label. You can see these are not in your inbox but in the label's folder. Re-configure the Splunk data ingestion to the specific Folder/Label.
  7. Display the sidebar on the left and expand Mail if necessary. Then, select the label's folder and you'll see all emails have moved to this spot as well, giving you quick and easy access to them.
  8. If you need to edit a filter you create, return to Settings > Filters and Blocked Addresses, click "Edit" next to the filter, and make your changes.

Internal notes

$ cd /opt/splunk/etc/apps
$ tar -zcvf /tmp/TA-dmarc.tar.gz TA-dmarc --exclude .git --exclude .gitignore --exclude local --exclude local.meta --exclude \*.py[co]
$ splunk-appinspect inspect --mode precert /tmp/TA-dmarc.tar.gz

Contributers

This add-on is maintained by Jorrit Folmer. These people and organisations have contributed pull requests, issues, ideas or otherwise spent time improving this add-on:

  • Aaron Myers
  • Christopher G Andrews (ChristopherGAndrews)
  • Constantin Oshmyan (COshmyan)
  • Diogo Silva (diogofgm)
  • George Luong
  • Georgi Georgiev
  • hkelley
  • John (john-9c54a80b)
  • Martin Wright
  • Mike Kolk
  • Oli (gryphius)
  • Rishabh (infosecfreek)
  • Rajashekar S and the GWS team
  • Samuel Haper (sharperer)
  • Steve Myers (stmyers)
  • Steven Hilton (malvidin)
  • SMTware

Third party software credits

The following software components are used in this add-on:

  1. defusedxml version 0.8.0 by Christian Heimes
  2. xmljson version 0.1.9 by S. Anand
  3. IMAPClient version 2.2.0 by Menno Finlay-Smits
  4. dkimpy version 0.6.2 by Scott Kitterman
  5. dnspython version 1.15.0 by Bob Halley
  6. Splunk Add-on Builder version 2.2.0 by Splunk and the third-party software it uses

CHANGELOG

See CHANGELOG.md

Support

This is an open source project without warranty of any kind. No support is provided. However, a public repository and issue tracker are available at https://github.com/jorritfolmer/TA-dmarc

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].