Splunk for DShield

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

The DShield for Splunk application allows you to search, navigate and summarize SANS Internet Storm Center's DShield data (http://www.dshield.org).

The application retrieves DShield data (All Sources IPs) daily, removes leading zeroes from logs and indexes it into Splunk.
It provides a number of dashboards, including the following information:

* a status dashboard that retrieves Threatcon, current HoD and RSS diaries. It also searches your networks in DShield feed and shows them if it finds any
* a dashboard showing top attackers, top attacked ports and protocols
* a dashboard showing Geo IP information about attackers, both in a table and using Google maps
* a search form that allows quick searching by IP address (or CIDR ranges), port or protocol
* a trend dashboard showing number of distinct IP addresses as well as total number of reports DShield received