Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Configure Prohibited Traffic list

The PCI data security standards requires that systems in a cardholder data environment only include services necessary on the system. Using the Prohibited Traffic list, PCI compliance solutions administrators can define a list of prohibited services that they do not expect to see on systems within the environment.

To view the Prohibited Traffic list, do the following:

  1. Select Configure > Data Enrichment > Lists and Lookups.
  2. Click the Prohibited Traffic list. The Prohibited Traffic lookup file (prohibited_traffic.csv) appears in the lookup editor.
transport,src,src_pci_domain,dest,dest_pci_domain,dest_port,is_prohibited,is_secure,note
*,*,cardholder,*,untrust,*,true,false,deny_all_cardholder_to_untrust
*,*,untrust,*,cardholder,*,true,false,deny_all_untrust_to_cardholder
*,*,wireless,*,cardholder,80,true,false,deny_http_wireless_to_cardholder
icmp,*,untrust,*,dmz,*,false,,permit_icmp_untrust_to_dmz
tcp,*,untrust,*,dmz,80,false,,permit_tcp80_untrust_to_dmz
tcp,*,untrust,*,dmz,443,false,true,permit_tcp443_untrust_to_dmz
udp,*,untrust,*,dmz,500,false,true,permit_udp500_untrust_to_dmz
udp,*,untrust,*,dmz,4500,false,true,permit_udp4500_untrust_to_dmz
tcp,*,untrust,*,dmz,1723,false,true,permit_tcp1723_untrust_to_dmz
udp,*,untrust,*,dmz,1701,false,true,permit_udp1701_untrust_to_dmz
udp,*,dmz,*,cardholder,514,false,,permit_udp514_dmz_to_cardholder
tcp,*,dmz,*,cardholder,443,false,,permit_tcp443_dmz_to_cardholder
tcp,*,trust,*,trust,22,false,true,permit_tcp22_inside_trust
tcp,*,trust,*,trust,80,false,,permit_tcp80_inside_trust
...

The first line in the file describes the fields in the file.

Field Description Example
transport The transport protocol. TCP
src The host that is the source of the activity. * to match all hosts, or the host name (for example "ACME_host_001")
src_pci_domain The source domain of of the activity. cardholder
dest The host that is the destination of the activity. * to match all hosts, or the host name (for example "ACME_host_001")
dest_pci_domain The source domain of of the activity. cardholder
dest_port The destination port of the activity. 80
is_prohibited Is the service/traffic/port prohibited? for example, true or false
is_secure Is the traffic for the given service encrypted (secure)? for example, true or false
note This can be whatever the user wants.
src_category Category of the source for example, pci_cardholder
dest_category Category of the source for example, pci_cardholder

Add to, or modify this list using the editor. Click Save when you are done.

There is no file checking or verification for this editor, so any typo might break the lookup file.

Last modified on 26 January, 2018
Configure Primary Functions list   Configure Interesting Services list

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters