The DDoS Detector for Splunk App and Technology Add-on for NetFlow are designed to work together.
DDoS Detector for Splunk App https://splunkbase.splunk.com/app/4016/
Technology Add-on for NetFlow https://splunkbase.splunk.com/app/1838/
Install DDoS Detector Splunk App and Technology Add-on for NetFlow.
Splunk Node | What to install |
Search Head | Add-on and App |
Indexer | Add-on only |
Heavy Forwarder | Add-on only |
Universal Forwarder | None |
Use the GUI to create a Data Input, or create it in inputs.conf using the CLI. Make sure sourcetype is set to flowintegrator.
In the top right corner, click Settings -> Data inputs
In the row for UDP click Add new
Enter a port number and click Next
Click Select Sourcetype and type flowintegrator
Change the App Context to the Technology Add-on for NetFlow (TA-netflow)
Set any other settings such as Method or Index as appropriate for your environment
Click Review, followed by Submit
Create the inputs.conf in the correct directory: $SPLUNK_HOME/etc/apps/TA-netflow/local/inputs.conf
Add the following lines to the inputs.conf file. This examples uses the syslog port UDP 10514. Change the port as needed:
[udp://10514]sourcetype = flowintegrator
By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, for example flowintegrator, please create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file, and add the following lines to it:
[flowintegrator]homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/dbcoldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddbthawedPath = $SPLUNK_DB/flowintegrator/thaweddb
In that case make sure your $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file contains the following:
[udp://10514]sourcetype = flowintegratorindex = flowintegrator
To test that NFO syslogs reached Splunk, go to default Search App, and type:
index=flowintegrator sourcetype=flowintegrator
If Splunk is getting the syslogs from NFO, then you’ll see events show up here.
The App relies on the list of local subnets to determine inbound / outbound traffic and attackers and victims location. Default my-subnets.csv file is located here: $SPLUNK_ROOT /etc/apps/ddos_detector/lookups and contains the following:
subnet,description10.0.0.0/8,ClassA172.16.0.0/12,ClassB192.168.0.0/16,ClassC
Please copy this file to $SPLUNK_ROOT/etc/apps/ddos_detector/local/lookups and add your subnets.
As the first step, if not already done, the outbound email server settings needs to be configured. It could be an internal email server or external mail service (Gmail for example).
Gmail configuration is shown below.
Mail host = smtp.gmail.com:587Email security = TLSUsername = <YOUR_GMAIL_ADDRESS>Password = <YOUR_GMAIL_PASSWORD>
After filling in the details in the “Mail Server Settings”, also the Link hostname should be configured in the “Email format” section. Use the following format: https://hostname:port_number (example: https://mysplunk.com:8000). Don’t leave it blank for autodetect -- it may not work. This value is later used in the email alert to create a clickable link.
The DDoS email notifications recipients list is empty by default. See Alerts section with details how to set up alerts parameters.
Please, note, that if you change anything on this configuration page, you must also erase and re-enter the "Password" and "Confirm password" fields. Otherwise the password will be reset and no email notifications will be sent.