WIXLIB

BlackLynx for Splunk Dashboard DescriptionsBlackLynx technology combines high performance heterogeneouscomputing (accelerated CPUs, GPUs, and FPGAs) with standardapplications and protocols to achieve high performance analyticsPrerequisitesInstall Splunk BlackLynx App version 1.0.2BlackLynx for Splunk brings the enhanced speed and search capabilities of the BlackLynxsolution to the Splunk Search, Dashboard, and Alerts features. This is done using theBlackLynx Splunk Apps blstructsearch and blunstructsearch.This document describes each dashboard, the corporate function it provides and detailsthe methodology used by BlackLynx to demonstrate potential solutions to the problems.Each of these dashboards are designed to highlight some aspect of BlackLynx’s ability torapidly search and process large data sets without the need to Extract, Transform, andLoad (ETL) the data.BlackLynx for Splunk DashboardsBlackLynx for Splunk Dashboard DescriptionsVersion 1.01

BlackLynx for Splunk Dashboard Descriptions:Blacklisted DNSDashboard Solution Statement:The “Blacklisted DNS” performs a search on a PCAP file on DNS requests, extracts therequested sites, and flags any requests for known blacklisted sites. The knownblacklisted sites are maintained in a file by the system administrator.The dashboard provides a list of all DNS requests and flags those that appear in theBlacklisted file. The dataset is a PCAP capture of sessions in our office.Blacklisted DNS DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – PCAP file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case UDP source port 53 (DNS server)BlackLynx Capabilities: Search of native PCAP files extracting those packets to port 53 Decode of selected packets to extract the requested domain names Return of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions2

BlackLynx for Splunk Dashboard Descriptions:ClearTextSSNDashboard Solution Statement:The “ClearTextSSN” performs a search on a PCAP file(s) looking for any case where aSocial Security Number is transmitted in clear text. In today’s environment of privacyregulation, certifying that all systems are in compliance with state and federal regulationscan avoid fines, negative publicity, and enhance client good will. Compliance rules aredifferent for Medical, Banking, and other institutions, but all require protection of SocialSecurity Numbers.This dashboard returns all cases of clear text transmission of SSN data and the relevantdata needed to track down the errant source. The dataset is from the 2012 Mid-AtlanticCollegiate Cyber Defense Competition (MACCDC2012).ClearTextSSN DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – PCAP file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case a specific IP destination and a PCRE2search of the pqyload data.BlackLynx Capabilities: Search of native PCAP files extracting those packets to a specific IP Address, 16GB of PCAP data searched in less than 5 seconds. Native PCAP search of the packet payload data using any of the BlackLynxsearch primitives, in this case, a regular expression search for a stringformatted “nnn-nn-nnnn” without a leading or trailing digit. Return of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions3

BlackLynx for Splunk Dashboard Descriptions:Cybersquatting Example For Bro Logs Using Edit DistanceDashboard Solution Statement:Typosquatting, or URL hijacking, is a form of cybersquatting, and relies on typo mistakesInternet users make when inputting the website address into a web browser.Cybersquatting (aka domain squatting), according to the United States federal law known asthe Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using anInternet domain name with bad faith intent to profit from the goodwill of a trademarkbelonging to someone else. The cybersquatter then offers to sell the domain to the personor company who owns a trademark contained within the name at an inflated price.Query Inputs:CyberSquattingDashboardHost – BlackLynx server hostname or IP AddressFilename – PCAP file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case sites similar to www.youtube.comBlackLynx Capabilities: Search of native CSV files (BRO Logs) using a Levenshtien (fuzzy edit distance)search (distance 2) to find DNS requests that are one or two charactersdifferent from the expected siteReturn of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions4

BlackLynx for Splunk Dashboard Descriptions:DNS ListDashboard Solution Statement:The “DNS List” performs a search on a PCAP file on DNS requests, extracts the requestedsites and orders by specific requested sites. The dashboard provides a list of all DNSrequests, the number of times each site was requested, and a pie chart showing the top10 sites.DNS List DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – PCAP file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case UDP source port 53 (DNS server)BlackLynx Capabilities: Search of native PCAP files extracting those packets to port 53 Decode of selected packets to extract the requested domain names Return of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions5

BlackLynx for Splunk Dashboard Descriptions:Hillary Fuzzy Search Russian TrollDashboard Solution Statement:This dashboard displays the results of a fuzzy edit distance search of a CSV file which is adatabase of 3 million Russian Troll tweets compiled by Clemson University covering 2012thru 2018 with the majority from 2015 – 2017. The search looks for Right Wingcomments on Hillary Clinton and the phrase "lock her up". Note the phrase "lockherup"(no spaces) are also found by a fuzzy edit distance search (distance 2) .Hillary Fuzzy Search DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – CVS file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case a combination of exact and fuzzy editdistance searches in specific fields combined with a data range searchBlackLynx Capabilities: Search of native CSV files using a complex set of fuzzy edit distance, exact, anddate ranges without indexing or transformation.Return of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions6

BlackLynx for Splunk Dashboard Descriptions:HTTP Downloaded FilesDashboard Solution Statement:The “HTTP Downloaded Files” performs a search on a PCAP file looking for filesdownloaded from a specific IP address. It is an example of quickly extracting forensicdata from a native PCAP file. The list of files is compared against a known list ofcompromised files and any matches are flagged. The known compromised sites aremaintained in a file by the system administrator.HTTP Downloaded Files DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – PCAP file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case the IP address (10.17.30.2) and apayload search for an HTTP GET statementBlackLynx Capabilities: Search of native PCAP files extracting those packets a specific IP address and apayload search for HTTP GET requestsDecode of selected packets to extract the requested download file namesReturn of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions7

BlackLynx for Splunk Dashboard Descriptions:HTTP GET HostsDashboard Solution Statement:The “HTTP GET Hosts” performs a search on a PCAP file looking for sites requested by aspecific IP address. It is an example of quickly extracting forensic data from a native PCAPfile.HTTP GET Hosts DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – PCAP file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case the IP address of the requester and apayload search looking for HTTP GET requestsBlackLynx Capabilities: Search of native PCAP files extracting those packets a specific IP address and apayload search for HTTP GET requestsDecode of selected packets to extract the requested siresReturn of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions8

BlackLynx for Splunk Dashboard Descriptions:Indexed Server Logs with Non-indexed Traffic LogsDashboard Solution Statement:This dashboard searches Indexed server logs and non-Indexed traffic logs correlating thebytes of traffic at each client IP address. The non-indexed search is preformed on rawBRO logs.Indexed Servers with non-indexed Traffic DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – BRO log(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case any connections that are not localBlackLynx Capabilities: Search of native CSV files using PCRE2 search to exclude local connectionsCombination of indexed Splunk data and non-indexed raw CSV dataReturn of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions9

BlackLynx for Splunk Dashboard Descriptions:Netflow TCP SYN Time RangeDashboard Solution Statement:TCP SYN flag attacks can be indicative of a denial of service attack. This dashboardillustrates BlackLynx’s capability of analyzing Netflow CSV files and rapidly pull out thosepackets that contain set syn flags over a specific time range.Netflow TCP SYN Time Range DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – CSV Netflow file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this SYN Flag set during a 3 minute time frameBlackLynx Capabilities: Search of specific fields in native CSV filesReturn of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions10

BlackLynx for Splunk Dashboard Descriptions:Non-indexed Search with RegexDashboard Solution Statement:The “ Non-indexed Search with Regex” performs a negative PCRE2 search on a semistructured log file looking for any client address that does not begin with ‘127’ or thelocalhost. It returns any lines for the log that match the query and extracts the time fromthe line.Non-indexed Search with Regex DashboardQuery Inputs:Host – BlackLynx server hostname or IP AddressFilename – PCAP file(s) to be searched relative to “/ryftone” directoryQuery Expression – search criteria, in this case client IP address where the IPaddress does not begin 127.*.*.*BlackLynx Capabilities: Search of text log files using a regular expression Return of the results to Splunk in a JSON formatBlackLynx for Splunk Dashboard Descriptions11