Get Packet Payloads with Splunk

It is fairly easy to create a workflow action to access the MetaFlows File-Carving and PCAP extraction interface.

Step 1: Extract the flow information from the MetaFlows event feed.

If you already use CEF log output from MetaFlows, or if you want to change to it, then the required fields should already be extracted:
src, dst, spt, dpt, start

Or, if you are using the standard syslog output then you will need something similar to the following extraction regex to make sure each record has those fields:
\{1,(?<rank>\d+)\}\s+\[\d+:(?<sid>\d+):\d+\]\s+(?<msg>[^\{]*)\{IP\}\s+(?<src>[^:]*):(?<spt>\d+)\s-\>\s(?<dst>[^:]*):(?<dpt>\d+)

Additionally, you will need to append “|eval start=_time” to your queries in order to get the start field unless you already have a derived field which gives you a unix timestamp to use in the query.

Or, if you have your own parsing in place that uses different field names which correspond to ‘Source IP, Destination IP, Source Port, Destination Port, Timestamp‘ then you may need to adjust the field names in the URI under step 2 to match. You will still need to make sure that you can provide a unix timestamp field.

Step 2: Create a workflow action.

Go to settings->FIelds->Workflow actions->Newand set the following fields:
Label: Extract PCAP / Carve Files $src$ $dst$ $start$
Show action in: Both
Action Type: Link
URI: https://nsm.metaflows.com/sockets/historical.php?w=carver&srca=$src$&dsta=$dst$&srcp=$spt$&dstp=$dpt$&st=$start$&sensor_sid=<your sensor’s SID>
Open link in: New Window
Link method: Get

Your sensor’s SID should be a hash listed on the view sensors page, or in the file /nsm/etc/UUID on the sensor itself.

Step 3: Test the Setup.

Test by selecting Extract PCAP / Carve Files from the Event Actions menu for any event in a search. You need to be logged into MetaFlows for this to work. It should take you straight to the File Carving interface which will provide a link to the PCAP data as well.

Note that if you have ‘Log All Packets‘ enabled, you will most likely see the PCAP slice as well as all the files that where downloaded/uploaded in that flow or set of flows. If you do not have ‘Log All Packets‘ enabled, you will only see the PCAP slice corresponding to the packets logged by the IDS system.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Recent Comments

Archives

Categories