Академический Документы
Профессиональный Документы
Культура Документы
By
A project submitted
In
partial fulfillment of the requirements
for the degree of
BACHELOR OF TECHNOLOGY
in
Computer Engineering
Faculty of Technology
Department of Computer Engineering
Dharmsinh Desai University
April 2019
CERTIFICATE
Dr. C. K. Bhensdadia
Head of Department
Dept. of Computer Engg.
Faculty of Technology
Department of Computer Engineering
Dharmsinh Desai University
April 2019
COMPANY CERTIFICATE
ACKNOWLEDGEMENT
Theoretical knowledge is of no importance if one doesn’t know the way of it simple mention.
I’m thankful to my institute that provided me an opportunity to apply my theoretical knowledge
through the project. I feel obliged to submit this project as part of my curriculum.
I would like to take the opportunity to express my humble gratitude to my guide Mr. Jay Shah,
Software Engineer at Crest Data Systems under whom I undertook my project. His constant
guidance and willingness to share their vast knowledge made us enhance my knowledge and
helped me in the project with words of encouragement and have shown full confidence in our
abilities. Without their effort and full support, this project may not have succeeded.
Although there may be many who are unacknowledged in this humble vote of thanks, there are
none who remain unappreciated.
ABSTRACT I
TABLE II
LIST OF FIGURES II
LIST OF TABLES III
APPENDICES 60
BIBLIOGRAPHY 61
REFERENCES 62
ABSTRACT
Today we live in a world which is completely based on computers and basically only on smart
gadgets. One major source for the evolution of this tech world is one and the only Internet. Right
now the internet is a necessity for everyone like food, cloth, and roof. In each field, we use the
internet for social media, shopping, bookings, entertainment, and employment. And so the
internet is also prone to various attacks. Every day thousands of new attacks emerge from
different sources. And hence to counter them we have threat intelligence systems.
Trustar is one of such threat intelligence software which helps us in detecting threats.
It has reports and indicators as its primary resource. By implementing the app and addon for
trustar we can come to know the possible attacks which may arise from in future. We collect the
reports and indicators using add on and we have created custom visualizations using App which
helps us in visualizing reports and indicators and the indicators matched in Splunk.
I
TABLE
LIST OF FIGURES
Fig 3.1 Use Case Diagram 29
Fig 3.2 DataFlow Diagram 30
Fig 3.3 Sequence Diagram 31
Fig 3.4 Activity Diagram 32
Fig 4.1 Automation Step 34
Fig 4.2 System Architecture 35
Fig 4.3 TA and App in a distributed environment 36
Fig 4.4 TA and App in a standalone environment 36
Fig 6.1 Splunk Instance Screen 48
Fig 6.2 Tenable Add-On Inputs Page 48
Fig 6.3 Add Account 49
Fig 6.4 Add Trustar Report 50
Fig 6.5 Add Trustar Indicator 52
Fig 6.6 Add Trustar Enclave 54
Fig 6.7 Final View Od Addon 55
Fig 6.8 View of App 56
Fig 6.9 View Of Reported Data 57
LIST OF TABLES
Overview Of Splunk:
Splunk is a software platform to search, analyze and visualize the machine-generated data
gathered from the websites, applications, sensors, devices etc. which make up your IT
infrastructure and business.
It does not require complicated Splunk databases, connectors, custom parsers or controls as it can
work efficiently with the help of a web browser and an algorithm. Splunk enterprise can be used
as a cloud application that is highly scalable and reliable.
Apps deliver a user experience designed to make Splunk immediately useful and relevant for
typical tasks and roles. Apps simplify and optimize user tasks, yet allow access to the data and
functions of the full platform.
Add-ons typically import and enrich data from any source, creating a rich data set ready for
direct analysis or use in an App. But add-ons can also be used to extend the Splunk platform to
meet your specific needs.
The project is TruSTAR’s App and Addon. The Addon is responsible for a collection of threat
indicators and reports from TruSTAR’s database. Reports and Indicators are resources in
TruSTAR’s data model which are required for the detection of threats.
1.3 PURPOSE:
This App will help the Client’s customers identify potential Threats(IOCs) in their network and
provide them with an ever-growing supply of Threat Intelligence which is being shared across
the community offered by the Client to their customers.
This App will be beneficial for the Client as it will enrich their database with new IOCs collected
from their customer’s networks(with the consent of the customer) which will help them in
providing even richer Threat Intelligence and will enable them in correlating t heir data with the
incoming threats.
1.4 SCOPE:
The scope of this project can be briefly divided into two main portions.
1)App.
2)Add on.
1)App
● To display the collected data from TruSTAR’s data models.
● To display the matching threats in Customer’s machine.
2)Add on.
● To collect TruSTAR’s threat resources and integrate them into Splunk instance.
● To obtain correlated threat resources
Splunk is a software platform to search, analyze and visualize the machine-generated data
gathered from the websites, applications, sensors, devices, etc.which make up your IT
infrastructure and business.
It does not require complicated Splunk databases, connectors, custom parsers or controls as it can
work efficiently with the help of a web browser and an algorithm. Splunk enterprise can be used
as a cloud application that is highly scalable and reliable.
How the project will work and who will use it, all such concerns arise in this phase. We have to
study what the existing system’s problem is, and is it worth
solving or not.
As by using this App and Add-On, Trustar can find Vulnerabilities and we can visualize them in
the form of Dashboard.
In the development of this project, we will first check to see if our project is feasible
functionally, technically and economically. Then we collect the requirements. Hence, we gather
all the requirements which we need to develop our system. Then, after thoroughly understanding
the requirements, we will start development.
Our development process divides basically into two parts: Python files for backend and Splunk
App for front end or say visualization.
Agile Model
Agile SDLC model is a combination of iterative and incremental process models with a focus on
process adaptability and customer satisfaction by rapid delivery of working software product.
Agile Methods break the product into small incremental builds. These builds are provided in
iterations. Each iteration typically lasts from about one to three weeks. Every iteration involves
cross-functional teams working simultaneously on various areas like planning, requirements
analysis, design, coding, unit testing, and acceptance testing. At the end of the iteration, a
working product is displayed to the customer and important stakeholders.
What is Agile?
Agile model believes that every project needs to be handled differently and the existing methods
need to be tailored to best suit the project requirements. In agile the tasks are divided into time
boxes (small time frames) to deliver specific features for a release. An iterative approach is taken
and working software build is delivered after each iteration. Each build is incremental in terms of
features; the final build holds all the features required by the customer.
● In case of some software deliverables, especially the large ones, it is difficult to assess the
effort required at the beginning of the software development life cycle.
● There is a lack of emphasis on necessary designing and documentation.
● The project can easily get taken off track if the customer representative is not clear what
final outcome that they want.
● Only senior programmers are capable of taking the kind of decisions required during the
development process. Hence it has no place for newbie programmers unless combined
with experienced resources.
After the feasibility study as the functional requirements were almost clear which were decided
by our project lead. After analyzing and thoroughly understanding the requirements of the
application we planned the project. 3-tier architecture is used for this System. Here we have
decomposed the system into modules. Also, the internals of the individual modules is designed
in greater details. Coding and Unit Testing phase are required to translate the software design
into the source code. Also during this phase, each module is unit tested to determine the correct
working of all the individual modules. Integration and System Testing phase consists of the
integration of the modules in a planned manner. Here during each integration step, we have
tested the partially integrated system. Finally, when all the modules were successfully
integrated and tested, system testing was carried out successfully
Implementation and testing The output obtained for the It gives the required
required functionality and module.
implementing and doing
various types of testing.
2.2.4 Roles And Responsibilities:
Kartik
Dass
Parth
Panchal
Trustar platform has malicious and harmful threat's details internally known as Indicators. But
currently no system is available to process those data for Splunk to get interactive statistical
information and attractive visualizations out of it. So, our product facilitates Trustar users to
ingest humongous amount of data in real time and analyze them via interactive visualizations.
This Product is mainly focused for Trustar users who use Splunk.
2.3.5 CONSTRAINTS
As, per the Company’s policy any developer has to maintain the Coding Standards and follow
Splunk best practices. Also, each and every user should maintain the subversion and commit the
modification with appropriate comment so to have track of work and also of the code
modification. From the client’s perspective, Developer should use well known coding standards.
The hardware limitation is almost none. If Splunk Enterprise supports on system then Trustar
app also supports.
Splunk App and AddOn for Trustar is tightly interfaced with Trustar, it can synchronize with
Trustar Platform in order to collect indicators and various Indicator metadata like type,
score, status from Trustar, it also updates the sightings count of indicators on Trustar
Platform and provides workflow actions to mark indicators as True/False Positive on
Trustar.
There are primarily 2 parallel operations in our Trustar Splunk App and AddOn:
● Data Collection: Based on configured interval in AddOn input, Splunk will run a
python script to collect indicators from specified export on Trustar platform
periodically and index those in configured Splunk Index.
● Sightings: A savedsearch will run periodically according to the configured interval,
it will execute a custom command to match the indicators to raw events in Splunk
and save the sightings metadata in Splunk.
● Update Sighting count on Trustar: A scheduled savedsearch will periodically
update the sighting count of indicators on the Trustar platform via REST API Calls
written in a custom command's script.
Criticality means any occurrence of miss operating of the system or any accidental event in
software which can damage the resources of software as well as hardware. As per my
knowledge there is no criticality in our Application.
R2: Connection
This functionality allows to connect to Splunk enterprise via rest api call.
Input : Splunk installation base uri, username and password for Splunk
Output : Session Key for connection with specified Splunk instance
Processing : Use rest api EndPoint to connect with specific Splunk instance.
R4.2:Creation of Input
R4.2.1:Create Input for Trustar Reports
Input:User Provides input_name, interval, index, Start Time, Enclaves, Global Account
Output:Successful creation of Input.
Processing: Validates the inputs provided by the user.
R6:Dashboard Visualizations.
Usability
The UI of the Splunk App should be user-friendly so that user can navigate easily through the
app.
Accuracy
As we were developing the application, we must make the system that is very accurate in its
functions. All the data should keep working properly, keep getting perfect input, process
accurately and produce the perfect output. Accuracy is the most important non-functional
characteristic or requirement of the system.
Reliability
Error handling mechanism must be robust to avoid failure of the operation and in the case of
failure the app reports it to user without any due harm.
Performance
This App will match events across millions of log entries containing raw data from the
customer’s network with the IOCs received from the Client’s site via HTTP calls made by the
Add-on. Performance of the App is crucial as it will affect the delivery of Reports, Alerts and
possibly cause data loss.
Security Requirements
The data being collected from the Client’s site and the data with which it is being matched, both
are highly confidential and need to be secured. For the customer’s on-premises data, Splunk can
ensure that the data doesn’t leave the network as it has features like user authentication and user
role management. The Client’s API returns encrypted data which can be decrypted once
received. This ensures the protection of the transmitted data
Description:
The Splunk App allows users to use context from TruSTAR’s IOCs and incident reports within
their Splunk analysis workflow. TruSTAR arms security teams with high-signal intelligence
from sources such as internal historical data, open and closed intelligence feeds, and anonymized
incident reports from TruSTAR’s vetted community of enterprise members
4.3 SYSTEM TOPOLOGY
Trustar add-on and app for Splunk are intended to do data collection, data normalization and
visualization of data through API calls.
Below is the topology of TA and App in a distributed and standalone environment.
IMPLEMENTATION PLANNING
5.1 IMPLEMENTATION ENVIRONMENT
In this project, our implementation environment is mainly python and Splunk enterprise
software. We have used python 2 for implementation of python library modules. We have chosen
Python for automation implementation as python because it is open source, easy to use and
already mature. We are using Splunk enterprise software solution, it is software from Splunk
Inc., San Francisco, CA (www.splunk.com) that collects and analyzes machine-generated data in
real time to derive operational intelligence. Splunk Enterprise is the local version, and Splunk
Cloud is software-as-a-service (SaaS). Apart from that we also using Event-Gen app which is a
Splunk app, which is useful to generate dummy events in the environment. But in case of
Event-Gen we need to do any specific configuration or code as we just need to install Event-Gen
in Splunk environment.
● We’ve followed standard python indentation and sonarlint extension for Python coding.
● Also autopep8,Best practices for Python is followed in our code.Splunk Xml writing and
configuration writing standards for Splunk app development.
● Sonarqube Report is Generated for Each Sprints in our Project.It detects code smells,bugs
and complexity of Each functions.
● Code Complexity must be less than 15 for successful testing.
Chapter 6
Testing
6.1 TESTING PLAN:
Application testing is the critical element of the Application quality assurance and represents the
ultimate review of specification, design, and code generation. Once the source code has been
generated, Application must be tested to uncover as many errors as
possible before delivery to the users. This chapter describes some of the testing techniques for
designing tests that,
Tested Items:
Tested items are like sending a request to the administrator, solving the sent request by the
assignee, changing the password of assignee and student, sending user feedback, adding new
categories, adding new departments, etc.
Testing Schedule:
Testing has been done for each procedure back-to-back so that errors and omissions can be found
as early as possible. Once the system has been developed fully testing procedure is followed on
other machines, which differs in configuration.
Software Testing involves executing an implementation of the software with test data and
examining the outputs of the software and its operational behavior to check that it is performing
as required.
Black-box Testing:
In Black-Box Testing or Functional Testing, the output of the module and software is taken into
consideration, i.e. whether the software gives proper output as per the requirements or not. In
other words, this testing aims to test a program's behavior against its specification without
making any reference to the internal structure of the program or the algorithms used. Therefore
the source code is not needed, and so even purchased modules can be tested.
The program just gets a certain input and its functionality is examined by observing the output.
● Input Interface
● Output Interface
● Processing
The tested program gets certain inputs. Then the program does its job and generates a certain
output, which is collected by a second interface. This result is then compared to the expected
output, which has been determined before the test.
White-box Testing:
What it does; tests are designed to exercise the code. The code is tested using code scripts,
driver, etc. White Box testing is used as an important primary testing approach. Here the code is
inspected to see that are employed to directly interface with and drive the code. The tester can
analyze the code and use the knowledge about the structure of a component to derive the test
data. White box testing methods like control testing, loop testing have been used to make the
software of increased reliability.
Integration Testing:
After the individual modules were tested out, the integration procedure is done to create a
complete system. This integration process involves building the system and testing the resultant
system for problems that arise from component interactions. The top-down strategy is applied to
validate high-level components of a system before design and implementations have been
completed. Because the development process is started with high-level components and work is
done down the component hierarchy.
6.4 TEST CASES:
Input is
Create Input Successful validated and
T05 for Trustar creation of created. Pass
inputs with Input.
specific filters.
Table 6.5 Test Cases for Dashboard Visualization
The user manual is a document that explains to users how to use or operate something, such as
software program, some other component or application. User manual tells the user by written
description or by a picture to use that application. It also describes the steps to follow for
particular functionality to work. In our application we are providing the different functionality to
the user for that following is the stepwise description to use that functionality.
● Change the necessary changes configuration and put the required installation files before
running the code. Following is the list of required files.
○ Splunk installation file
○ TA and App for TruSTAR
● Steps:-
1. Installation of Splunk with a license.
2. Installation of App.
3. Installation of TA.
4. The configuration of Inputs in TA.
6.5.3 SCREENSHOTS
6.5.3.2 DASHBOARDS
1. Reports Data.
As computers and electronic devices have become major in the future. Monitoring data and logs
and analyzing data has become very popular field nowadays.The task of accessing machine data
and taking necessary action when an undesirable situation occurs is critical and here Splunk
proves useful. Splunk stores machine data or logs into indexes, extract fields from those events
and we can write queries to visualize those log events.
TruSTAR app and Addon for Splunk helps up in identifying threats which could be otherwise
harmful to the customer.By its ever increasing growing customer base, we can be assured of new
and upcoming threats.Its panels help user in identifying the state of system and whether there
may be some harmful threats in the system.The App has added features like Adaptive Response
actions and workflow actions which helps to upload the reports to the TruSTAR’s station.
Furthermore, storing data in lookups helps in faster loading of the customized panels.
7.2 LIMITATIONS
● The time taken to match the indicators and reports increases as the number of
events indexed in Splunk increases.
● Installing Splunk environment on remote machine is not supported, for doing that
user wants to login to remote machine and run the code.
● https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf
● https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchTutorial/Aboutdashboards
● http://docs.python-requests.org/en/master/
● https://docs.splunk.com/Splexicon:Configurationfile