Installation
The DDoS Detector for Splunk App and Technology Add-on for NetFlow are designed to work together.

Download

Where to install

Install DDoS Detector Splunk App and Technology Add-on for NetFlow.
Splunk Node
What to install
Search Head
Add-on and App
Indexer
Add-on only
Heavy Forwarder
Add-on only
Universal Forwarder
None

Post Installation Steps

Create a data input

Use the GUI to create a Data Input, or create it in inputs.conf using the CLI. Make sure sourcetype is set to flowintegrator.

GUI

  • In the top right corner, click Settings -> Data inputs
  • In the row for UDP click Add new
  • Enter a port number and click Next
  • Click Select Sourcetype and type flowintegrator
  • Change the App Context to the Technology Add-on for NetFlow (TA-netflow)
  • Set any other settings such as Method or Index as appropriate for your environment
  • Click Review, followed by Submit

CLI

Create the inputs.conf in the correct directory: $SPLUNK_HOME/etc/apps/TA-netflow/local/inputs.conf
Add the following lines to the inputs.conf file. This examples uses the syslog port UDP 10514. Change the port as needed:
1
[udp://10514]
2
sourcetype = flowintegrator
Copied!
By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, for example flowintegrator, please create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file, and add the following lines to it:
1
[flowintegrator]
2
homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/db
3
coldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddb
4
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb
Copied!
In that case make sure your $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file contains the following:
1
[udp://10514]
2
sourcetype = flowintegrator
3
index = flowintegrator
Copied!

Verify the configuration

To test that NFO syslogs reached Splunk, go to default Search App, and type:
1
index=flowintegrator sourcetype=flowintegrator
Copied!
If Splunk is getting the syslogs from NFO, then you’ll see events show up here.

Setting up Local subnets

The App relies on the list of local subnets to determine inbound / outbound traffic and attackers and victims location. Default my-subnets.csv file is located here: $SPLUNK_ROOT /etc/apps/ddos_detector/lookups and contains the following:
1
subnet,description
2
10.0.0.0/8,ClassA
3
172.16.0.0/12,ClassB
4
192.168.0.0/16,ClassC
Copied!
Please copy this file to $SPLUNK_ROOT/etc/apps/ddos_detector/local/lookups and add your subnets.

Setting Email Alerting

As the first step, if not already done, the outbound email server settings needs to be configured. It could be an internal email server or external mail service (Gmail for example).
Gmail configuration is shown below.
1
Mail host = smtp.gmail.com:587
2
Email security = TLS
3
Username = <YOUR_GMAIL_ADDRESS>
4
Password = <YOUR_GMAIL_PASSWORD>
Copied!
After filling in the details in the “Mail Server Settings”, also the Link hostname should be configured in the “Email format” section. Use the following format: https://hostname:port_number (example: https://mysplunk.com:8000). Don’t leave it blank for autodetect -- it may not work. This value is later used in the email alert to create a clickable link.
The DDoS email notifications recipients list is empty by default. See Alerts section with details how to set up alerts parameters.
Please, note, that if you change anything on this configuration page, you must also erase and re-enter the "Password" and "Confirm password" fields. Otherwise the password will be reset and no email notifications will be sent.
Last modified 4mo ago