- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to search for and alert on duplicate IP addres...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We seem to be having an intermittent issue with our SRX3400 firewall where it sometimes issues duplicate IPs to devices. I'm trying to work out how we can go about setting an alert soon as such an event occurs. Ideally the alert should check for this condition every 1 hour. I have copied the actual event showing the duplicate IP address assignment. (This is a bug in the SRX and we're working on it separately). Any help is appreciated.
Mar 5 10:37:57 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for XX.XX.XX.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
Mar 5 10:35:43 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for XX.XX.XX.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kgangulw,
take this run everywhere example to get an idea how it can be done:
index=_internal | head 1 | eval foo="
Mar 5 10:37:57 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
Mar 5 10:35:43 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
"
| rex max_match=0 field=foo "for\s(?<myIP>[\d\.]+).+?to\s(?<myMAC>[\d\w:]+)"
| bucket _time span=1h
| stats count(myIP) AS myCount by myMAC
| where myCount > 2
This will create some fields for IP's and MAC's and count the IP for each MAC within one hour and shows only results if the count is more than 2. Save the search and setup alerting, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Aboutalerts
Also you should setup the fields for IP and MAC if they do not exists, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kgangulw,
take this run everywhere example to get an idea how it can be done:
index=_internal | head 1 | eval foo="
Mar 5 10:37:57 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
Mar 5 10:35:43 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
"
| rex max_match=0 field=foo "for\s(?<myIP>[\d\.]+).+?to\s(?<myMAC>[\d\w:]+)"
| bucket _time span=1h
| stats count(myIP) AS myCount by myMAC
| where myCount > 2
This will create some fields for IP's and MAC's and count the IP for each MAC within one hour and shows only results if the count is more than 2. Save the search and setup alerting, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Aboutalerts
Also you should setup the fields for IP and MAC if they do not exists, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS
Thanks a lot for providing the sample. I'm running into a bit of issues with the above, but let me ask a few questions so i can see if this can be figured out.
in your sample foo="xxxxxxxx" i'm assuming is the particular string i want to evaluate?
rex max_match=0 field=foo "for\s(?[\d.]+).+?to\s(?[\d\w:]+)" - This one I'm not sure what it does. Could you elaborate or tell me where i can find the info to see what this above statement does.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry if this was too confusing .... you can use the search string starting at line 5. Line 1 - 4 where only to rebuild your provided events. So using this should work for you:
your base search here | rex max_match=0 field=_raw "for\s(?<myIP>[\d\.]+).+?to\s(?<myMAC>[\d\w:]+)"
| bucket _time span=1h
| stats count(myIP) AS myCount by myMAC
| where myCount > 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent Thank you very much Mus:)
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
