Real-world SSH brute force attack simulation, live detection, and visualisation using Splunk Enterprise SIEM — mapped to MITRE ATT&CK T1110.
This project demonstrates a fully operational Security Information and Event Management (SIEM) lab built with Splunk Enterprise. A brute force attack is simulated from a Kali Linux attacker VM against an Ubuntu Server target, with all attack telemetry ingested, detected, and visualised in real time inside Splunk dashboards.
The lab covers:
- Setting up Splunk Enterprise on Ubuntu Server as the SIEM platform
- Configuring log ingestion from SSH auth logs and syslog
- Simulating a real SSH brute force attack from Kali Linux
- Writing SPL (Search Processing Language) detection queries
- Building live dashboards showing attacker IPs, timelines, and attack summaries
- Mapping detections to MITRE ATT&CK framework
| Component | Details |
|---|---|
| SIEM Platform | Splunk Enterprise 10.2.1 (Free License) |
| SIEM Host | Ubuntu 22.04 Server VM (VirtualBox) |
| Attacker | Kali Linux VM (VirtualBox) |
| Network | Host-only adapter (isolated lab network) |
| SIEM Host IP | 192.168.20.20 |
| Attacker IP | 192.168.20.11 |
| Log Sources | /var/log/auth.log, /var/log/syslog |
| Attack Tool | Custom Bash loop + Python log generator |
┌─────────────────────────┐ SSH Port 22 ┌──────────────────────────┐
│ Kali Linux Attacker │ ────────────────────────► │ Ubuntu SIEM Server │
│ IP: 192.168.20.11 │ 30+ failed login attempts │ IP: 192.168.20.20 │
│ │ ◄──────────────────────── │ Splunk on port 8000 │
└─────────────────────────┘ Auth failure responses └──────────┬───────────────┘
│
┌────────────▼────────────────┐
│ /var/log/auth.log │
│ Monitored by Splunk │
└────────────┬────────────────┘
│
┌────────────▼────────────────┐
│ Splunk Indexer │
│ index=main │
│ sourcetype=linux_secure │
└────────────┬────────────────┘
│
┌────────────▼────────────────┐
│ SPL Detection Queries │
│ - Top Attacker IPs │
│ - Attack Timeline │
│ - Attack Summary │
└────────────┬────────────────┘
│
┌────────────▼────────────────┐
│ Splunk Dashboard │
│ SSH Brute Force Detection │
│ Real-time visualisation │
└─────────────────────────────┘
sudo apt install -y openssh-server
sudo systemctl start ssh
sudo systemctl enable sshfor i in {1..30}; do
ssh fakeuser@192.168.20.20 -o StrictHostKeyChecking=no -o ConnectTimeout=3 2>/dev/null
donepython3 log_generator.py --target 192.168.20.20 --count 50index=main "Failed password"
| rex field=_raw "from (?P<src_ip>\d+\.\d+\.\d+\.\d+)"
| rex field=_raw "for (invalid user )?(?P<username>\S+) from"
| stats count as Attempts by src_ip username
| sort -Attempts
index=main "Failed password"
| rex field=_raw "from (?P<src_ip>\d+\.\d+\.\d+\.\d+)"
| timechart count as Failed_Logins
index=main "Failed password"
| stats count as Total_Attacks,
dc(src_ip) as Unique_IPs,
dc(username) as Unique_Usernames
index=main "Failed password"
| rex field=_raw "invalid user (?P<username>\w+)"
| stats count by username
| sort -count
index=main "Failed password" earliest=-15m
| rex field=_raw "from (?P<src_ip>\d+\.\d+\.\d+\.\d+)"
| table _time src_ip _raw
| sort -_time
| Dashboard | Description |
|---|---|
| Top Attacker IPs | Table showing attacker IP, targeted username, and attempt count |
| Attack Timeline | Line chart showing failed login spikes over time |
| Attack Summary | Single-row stats: total attacks, unique IPs, unique usernames |
| Indicator | Value |
|---|---|
| Attack type | SSH Brute Force (T1110.001) |
| Attacker IP | 192.168.20.11 (Kali Linux) |
| Target IP | 192.168.20.20 (Ubuntu Server) |
| Targeted username | fakeuser |
| Total failed attempts | 61 |
| Attack duration | < 60 seconds |
| Detection time | Real-time via Splunk |
| MITRE ATT&CK | T1110 – Brute Force |
Splunk detecting 61 failed SSH login attempts from attacker IP in real time.
The sharp spike on the timeline shows the exact moment the brute force attack occurred.
Complete SSH Brute Force Detection dashboard with all panels.
Failed password entries in /var/log/auth.log confirming the attack source.
# Download
wget -O splunk.deb "https://download.splunk.com/products/splunk/releases/10.2.1/linux/splunk-10.2.1-linux-amd64.deb"
# Install
sudo dpkg -i splunk.deb
# Start with admin password
sudo /opt/splunk/bin/splunk start --accept-license --answer-yes \
--no-prompt --seed-passwd Admin1234! --run-as-root
# Enable on boot
sudo /opt/splunk/bin/splunk enable boot-start --run-as-root# Monitor SSH auth log
sudo /opt/splunk/bin/splunk add monitor /var/log/auth.log \
-index main -sourcetype linux_secure --run-as-root
# Monitor syslog
sudo /opt/splunk/bin/splunk add monitor /var/log/syslog \
-index main -sourcetype syslog --run-as-rootURL: http://127.0.0.1:8000
Username: admin
Password: Admin1234!
| Action | Command |
|---|---|
| Ban attacker IP | sudo fail2ban-client set sshd banip 192.168.20.11 |
| Disable password auth | PasswordAuthentication no in sshd_config |
| Use key-based auth | ssh-keygen && ssh-copy-id user@host |
| Change SSH port | Port 2222 in sshd_config |
| Set login attempt limit | MaxAuthTries 3 in sshd_config |
| Enable Fail2Ban | sudo systemctl enable fail2ban |
- SIEM ingestion lag — Splunk picks up log changes within seconds but requires correct sourcetype configuration to parse fields properly.
- Field extraction in SPL — Splunk's automatic field extraction doesn't always work for custom log formats; manual
rexcommands are essential for accurate detection. - Attack bursts are obvious — A brute force attack creates an unmistakable spike on a timeline chart. In a real SOC, this would trigger an immediate alert.
- Network segmentation matters — The two-VM setup mirrors real enterprise architecture (attacker outside, SIEM inside). Getting the VMs to communicate required correct VirtualBox network adapter configuration.
- Splunk Free License limits — The free version indexes up to 500MB/day which is more than sufficient for lab work and personal portfolio projects.
- MITRE ATT&CK T1110 – Brute Force
- Splunk SPL Documentation
- Splunk Enterprise Download
- OpenSSH Security Guide
Splunk-SIEM-Threat-Detection/
├── README.md # This file
├── log_generator.py # Python attack log simulator
├── splunk_queries/
│ ├── top_attacker_ips.spl # Query 1 — Attacker IP detection
│ ├── attack_timeline.spl # Query 2 — Timeline visualisation
│ ├── attack_summary.spl # Query 3 — Summary stats
│ ├── targeted_usernames.spl # Query 4 — Username analysis
│ └── recent_failed_logins.spl # Query 5 — Real-time monitoring
└── screenshots/
├── top_attacker_ips.png
├── attack_timeline.png
├── full_dashboard.png
└── auth_log_evidence.png
Built as part of a cybersecurity portfolio. All simulations performed in an isolated VirtualBox lab environment on machines I own and control.