View
218
Download
0
Category
Preview:
Citation preview
Table of Contents
Notice.............................................................................................................. 5
Preface............................................................................................................ 7
About This Document ...............................................................................................................7
Before You Use ........................................................................................................................7
Intended Readers of This Manual ............................................................................................7
Marking Rules...........................................................................................................................8
Organization of this manual......................................................................................................8
Introduction.................................................................................................... 9
SECUI MFI App for Splunk.....................................................................................................10
SECUI MFI .............................................................................................................................11
Configuration ............................................................................................... 13
System Requirement ..............................................................................................................14
Dependency ...........................................................................................................................15
Install from Splunk........................................................................................................................................15
Install from Splunkbase................................................................................................................................15
Installation and Settings ............................................................................. 17
Installation Splunk ..................................................................................................................18
Log Reception Settings ..........................................................................................................19
SECUI MFI Settings ...............................................................................................................21
Index ............................................................................................................. 23
SECUI MFI App for Splunk 3
Notice
Copyright
SECUI owns the copyright and intellectual property of this manual. These rights are protected by
the copyright laws and international copyright agreements. Therefore, no part or whole of this
manual may be copied, reproduced or published in any form or by any means, without the prior
written consent of SECUI. These actions are in conflict with those laws and agreements.
Content
The photos contained in this manual may be different from the actual appearance of the product
depending on product version and how the operation is performed. The specifications and photos
contained in this manual are based on the latest materials available when it was written. But they
are subject to change without notice due to performance enhancements and functional improve-
ments.
SECUI is not liable for direct, indirect, special, accidental, consequential and other damage or loss
of property due to your use of the information contained in this manual or due to the errors in this
manual, even if you use the product according to the direction of this manual.
Trademarks
Windows OS is the registered trademarks of their respective companies and protected by the copy-
right laws. The trademarks of other companies and the terms which are protected by the copyright
laws mentioned in this manual are used for reference only.
Contact
Phone : +82.(0)2.3783.6600
Fax : +82.(0)2.3783.6499
Address: (04631)SECUI 5th-7th Fl. Prime Tower, 48 Sogong-ro, Jung-gu, Seoul, Korea
E-mail: tech.csc@secui.com
Website: http://www.secui.com
Document Information
Part Number: 04-92-10000-10000-161102
Release Date: 2016-11-02
SECUI MFI App for Splunk
Copyright SECUI All rights reserved.
SECUI MFI App for Splunk
About This Document
Preface
About This Document
This document is an Admin’s manual described for the purpose of understanding the overall system
and concept for managing SECUI MFI App for Splunk.
SECUI MFI App for Splunk sets the main purpose as security and control while showing difference
in method and usage from the existing internet configuration system.
In order to manage SECUI MFI App for Splunk, various types of knowledge related to the basic
control of SECUI MFI App for Splunk, details on each functions and security.
Before You Use
• Make sure you read through this guide before using your product so that you can use it correctly.
• After reading this guide, keep it in a safe place.
• This manual assumes that the reader is an operator who has basic knowledge of the network, information security, and the use of the operating system.
Please take precaution so that the guide can be viewed by only security administrators or several administrators performing related tasks. A special precaution is required because there is danger of being misused for hacking purposes by acquiring internal information of system if the guide is viewed by a malicious administrators.
Intended Readers of This Manual
This guide provides the security administrators who use MF2 in their systems with the information
on how to use it. To understand this manual, you need to already have the basic knowledge of
network theory, information security, IP networking technology, and related subjects.
SECUI MFI App for Splunk Preface 7
Marking Rules
Marking Rules
The marking rules prescribed as follows are used in this manual.
This explains all of the functions of the product and it may not be consistent with the available functions depending on your purchase options.
Organization of this manual
Chapter1. Introduction
This chapter introduces the overview and features of SECUI MFI App for Splunk.
Chapter2. Configuration
This chapter explains the configuration required to use SECUI MFI App for Splunk.
Chapter3. Installation and Settings
This chapter explains SECUI MFI App for Splunk describes with how to install the required settings.
Marking Rules Description
Bold Font Indicates menu, screen name, tab name, field name and button name.
Close Bracket (>) Shows movement order of menu.
Brackets (< >) Indicates the keyboard keys such as <Ctrl>, <Alt>, and <Shift>.
(Notice)NOTICE represents important information for using the product.
(Caution)CAUTION represents information that should be given special care to prevent data loss, hardware damage, security threats, etc.
8 Preface SECUI MFI App for Splunk
Chatper 1
Introduction
This chapter introduces the overview and features of SECUI MFI App for Splunk.
SECUI MFI App for Splunk Introduction 9
SECUI MFI App for Splunk
SECUI MFI App for Splunk
SECUI MFI App for Splunk provides various views to easily analyze IPS logs detected by SECUI
MFI Appliance in Splunk.
This App offers real-time threat dashboards, threat analytics (attack analytics, attacker analytics,
victim analytics, detail analytics), and traffic dashboards.
• Threat Dashboard
Check recently detected threat information in real time. • Attack Analytics
Top information analysis on attack name progress and attack name. • Attacker Analytics
Top information analysis on attacker progress and attacker. • Victim Analytics
Top information analysis on victim progress and victim. • Detail Analytics
Attack flow analysis through progress of attacks and Sankey Chart. Top analysis for each item. • Traffic Dashboard
Top traffic analysis of traffic progress and each item. • Search
Log search.
10 Introduction SECUI MFI App for Splunk
SECUI MFI
SECUI MFI
SECUI MFI is installed as a transparent bridge that does not affect network composition, and it is
an intrusion prevention system that detects and blocks invasion and attack of network traffic that
flow from the outside to inside in real time.
SECUI MFI executes intrusion detection/defense for all packets, and safely protects information
assets and resources of internal networks from DDoS attacks, Flooding attacks, and Smurf attacks.
SECUI MFI App for Splunk Introduction 11
Chatper 2
Configuration
This chapter explains the configuration required to use SECUI MFI App for Splunk.
SECUI MFI App for Splunk Configuration 13
System Requirement
System Requirement
The system of conditions for using SECUI MFI App for Splunk as follows:
System System Requirement
Splunk Version Splunk Enterprise version 6.5 or higher
OS Linux
SECUI MFI Version SECUI MFI V4.0.1 or higher
14 Configuration SECUI MFI App for Splunk
Dependency
Dependency
SECUI MFI App for Splunk has dependency on Sankey Diagram and Heatmap from the Splunk
App (application, hereinafter app).
It can be searched from Splunk’s Find More Apps or the app can be downloaded from splunkbase
to install.
Install from Splunk
Sankey Diagram
1. Go to the Splunk > Apps > Find More Apps menu. 2. Search Sankey Diagram. 3. Install the Sankey Diagram - Custom Visualization app.
Heatmap
1. Go to the Splunk > Apps > Find More Apps menu. 2. Search Heatmap. 3. Install Heatmap - Custom Visualization app.
Install from Splunkbase
Depending on the Splunk version being used, Sankey Diagram or Heatmap might not be searched
from Find More Apps. At this time, download and install the installation file from splunkbase.
Sankey Diagram - Custom Visualization
1. Go to https://splunkbase.splunk.com/app/3112/. 2. Click on the Download button to download installation file. 3. Go to splunk > Apps > Manage Apps menu. 4. Select Install app from file. 5. Click on the Browse button to select the downloaded installation file. 6. Click on the Upload button to install.
Heatmap - Custom Visualization
1. Go to https://splunkbase.splunk.com/app/3159/. 2. Click on the Download button to download installation file. 3. Go to splunk > Apps > Manage Apps menu. 4. Select Install app from file. 5. Click on the Browse button to select the downloaded installation file. 6. Click on the Upload button to install.
SECUI MFI App for Splunk Configuration 15
Chatper 3
Installation and Settings
This chapter explains SECUI MFI App for Splunk describes with how to install the required settings.
SECUI MFI App for Splunk Installation and Settings 17
Installation Splunk
Installation Splunk
1. Log in to Splunk web UI. 2. Click on the Manage Apps icon as shown below.
3. Click on the Install app from file button.
4. Click on the Browse button to select SECUI MFI App for Splunk and then click on the Upload button.
5. Once installation is complete, go to the Settings > Server Contols menu and click on Restart Splunk to restart Splunk.
18 Installation and Settings SECUI MFI App for Splunk
Log Reception Settings
Log Reception Settings
Set the UDP port number to receive syslog from SECUI MFI.
1. Log in to Splunk web UI. 2. Select Settings > Data inputs menu. 3. Click Add new in UDP.
4. Enter UDP port number to be opened. (Ex.: 514)
Enter corresponding port number when setting syslog in SECUI MFI.
SECUI MFI App for Splunk Installation and Settings 19
Log Reception Settings
5. For Source type, select Network & Security > secui:log, and select SECUI MFI App for Splunk for App context and click on the Review button.
6. Check Review contents and click on the Submit button.
20 Installation and Settings SECUI MFI App for Splunk
SECUI MFI Settings
SECUI MFI Settings
To send log to Splunk server, syslog settings and log settings must be completed in SECUI MFI.
Syslog Settings
1. Activate web browser and log in to SECUI MFI. 2. Select the System > Log Environment > Syslog Settings menu. 3. Set syslog to transmit log to Splunk.
4. Click on the Apply button to apply settings.
Log Settings
Set the log type to be transmitted to Syslog.
1. Select the System > Log Environment > Log Settings menu. 2. Select log to be transmitted to the server set in Syslog settings as shown below. (Ex.: Server 1)
Check all folders of IPS/DDoS Log and Traffic Log (all settings will be checked) to select.
Item Description
Enable Check to activate for Syslog settings.
Server IP(Domain) Enter IP address where Splunk is installed and enter UDP port number (Ex.: 514) set in Splunk.
Format Select ArcSight format.
SECUI MFI App for Splunk Installation and Settings 21
SECUI MFI Settings
3. Click on the Apply button to apply settings.
22 Installation and Settings SECUI MFI App for Splunk
Index
AAttack Analytics 10
Attacker Analytics 10
DData inputs 19
Detail Analytics 10
IInstall app from file 18
Intrusion Prevention System 11
LLog Settings 21
RRestart Splunk 18
SSearch 10
SECUI MFI 11
SECUI MFI App for Splunk 10
Server Controls 18
SplunkHeatmap 15Sankey Diagram 15
SplunkbaseHeatmap - Custom Visualization 15Sankey Diagram - Custom Visualization 15
TThreat Dashboard 10
Traffic Dashboard 10
Transparent Bridge 11
VVictim Analytics 10
SECUI MFI App for Splunk 23
Recommended