Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Tuesday, November 9, 2010

Kismet meets Splunk!!!

Looking for another way to store all that Kismet data you have been populating into your relational databases?  Well look no further.  Splunk can already index CSV formatted data so you are in luck!  For those of you who don't know what Kismet you can find information on the products website at the Kismet official website.  One traditional way of processing, storing and analyzing wireless network traffic has been using Kismet for capturing the packets and GPS data, outputting the data into XML format, then using Kisgearth to covert the GPS data into kml files you can populate into Google earth.  This method is very intuitive and does not require a lot of knowledge or know-how to setup.  However, for those of you who don't need to map out pretty pictures of where open access points are around the globe, try exporting your Kismet data into CSV format then indexing it with Splunk!

Importing the Kismet data
(Instructions assume the person following the steps below are some what familiar with Splunk and using version 4.X of the Splunk software)
  1. Use Kismet to collect some network traffic and save the output into a CSV formatted file 
  2. Log into the Splunk web interface and go to Manager > Data Inputs 
  3. Click Add New under the Actions column for Files and Directories
  4. Set the source to be upload a local file
  5. Browse to find your kismet CSV file
  6. Select the Set sourcetype drop box and select the From list option
  7. Select the Select source type from list drop box and select csv as the format for the new input
  8. Then select the index you want your new input to be apart of (use main if nothing else), then click the Save button (may take a moment to complete depending on this size of the file you are indexing)
  9. I would suggest restarting Splunk then go to your Search app and query your new input data
  • regex: sourcetype="csv-2"
You should see all of your semicolon-delimited fields from the CSV file are now indexable fields that have been extracted via Splunk!  Who needs a relational database when you have Splunk, I mean seriously??  If you still want pretty pictures with this data, install the Google-maps Splunk app and map your wireless hotspot location points using google-maps with ip location or your Kismet GPS data....if you want more information on how to set that up, drop me a note and I can help you out!

  Happy Spelunking!!!

1 comment:

  1. excellent writeup. You are absolutely right about " Who needs a relational database when you have Splunk..."

    ReplyDelete