#Splunk base64 decode code#
Since source code is provided, you can change the behavior of the program to encrypt multiple strings or use triple DES instead of DES for the encryption. What the Python program did was take the matching regular expression, run a publicly available DES encryption on it using the provided key, and then sent the resulting data through a base64 utility so that the final result would be printable in ASCII text. Tue Oct 6 13:23: name user102 creditcard=BTXoXxBF/i/qE+IQ+tS98Q= b pets Tue Oct 6 13:23: name user101 creditcard=BTXoXxBF/i9OBE/y2eNIWw= b pens Tue Oct 6 13:23: name user100 creditcard=BTXoXxBF/i//Izi1uYJEKA= b shoes In the example provided, the produced file looks like this: This would produce a file with an extension of en.txt such as .txt. Python encryptfield.py credit.log "creditcard=(\\d+)" DESCRYPT In this example, it would look like this: In the encrypt/decrypt Splunk add-on, there is a small Python utility that be run against any text file to encrypt any single string of data using DES with a symmetric key.
The requirements are that this piece of data be encrypted before indexing. Notice that the credit card number is in the clear. Let’s start with example data such as this:
#Splunk base64 decode how to#
I’ll spend the rest of this blog entry describing how to do this with a simple approach I wrote that is available for download from Splunk’s add-on page. To accomplish this, the sensitive data would have to be encrypted in the index and decrypted by an authorized search. However, there are some cases, where it would be useful for an authorized person to retrieve the original contents at search time such as searching for an employee’s salary or date of birth data. This works great for the case where you never want anyone to have access to the data’s sensitive contents. The administrator could either use Splunk’s built-in sed like syntax to replace sensitive strings or use a regular expression in a nf file to accomplish this. For instance, a Social Security number may end up looking like xxx-xx-xxxx within a search. To prevent such things from happening, Splunk has an out of the box feature to mask sensitive data. Any person in a role that has access to that data would be able to search on it. The data may be in the clear and when it gets sent to Splunk, it would be indexed. This could be Social Security numbers, credit card numbers, date of birth, an employee’s salary information, etc. There are times when data within events contains sensitive information.
0 kommentar(er)
