¶ Missile Map
Missile map is a project that is based off on the Splunk app Missile Map. Our goal with this project was to track incoming connections to the Student Data Center via the VPN.
¶ How it works
To get meaningful data into Missile Map we need to find the correct log sources. We were trying to find the IP addresses of users connecting to the Student Data Center. To access the Student Data Center, students connect to the VPN which is hosted on our pfsense firewall/router. The pfsense firewall/router is able to log the connections that are made via the VPN and we forwarded these logs to our Splunk Server.
The logs on the Splunk server looked like the image below.
Missile Map provides a test data set which allowed us to see how it wanted to format the data. To access this dataset you can search the Missile Map with the following SPL query:
| inputlookup missilemap_testdata
To feed our data into Missile Map we first need to filter for all the IP addresses that are connected. In Splunk we can extract a new field from the data. We used teh used the regex below to extract the src_ip field. The regex extracts the IP address from a string that contains five substrings separated by single quotes from data like "openvpn server 'ovpns1' user 'vpn' address '47.153.255.97' - connected"
^(?:[^'\n]*'){5}(?P<src_ip>[^']+)
Using the regex we were able to extract the IP addresses and grouped them into a new field src_ip. In order to get the latitude and longitude coordinates of the ip addresses we used the iplocation command. This command takes in an IP address as input and returns the City, Country, lat, lon fields.
Now that we had all the data needed we could format the data into how Missile Map wants it using the SPL below.
Working Search for Tracking Incoming Connections via Missile Map:
index = pfsense openvpn src_ip = *
| iplocation src_ip
| eval start_lat = lat
| eval start_lon = lon
| eval end_lat="34.059705"
| eval end_lon="-117.819758"
| eval animate = "true"
| eval pulse_at_start = "true"
| table src_ip, start_lat, start_lon, end_lat, end_lon, animate, pulse_at_start
Note: animate and pulse_at_start don't have to be there and can be removed if it gets too laggy.
And remember:
It's Nukes or Nothing!
¶ Whats Next?
- Improve the regex to extract IP
- Bug reported - found arrow originating from middle of ocean
- Create meaningful dashboard
- Implement Missile Map for external connections
- Implement Missile Map for Website visitors