I have a log of a few hundreds SNORT alerts:
-All alerts have "the same" fields but in order to find my needle in the haystack, I have to
search for two fields; in the results of the search is my "unique" value.
Example:
<1 Search:
2222222 dest_port="*" --I want the STAR Value and its _time --AND possibly call the _raw results "Disconnect"
<2 Search:
1111111 src_port="*" --I want the STAR value and its _time --AND possbily call the _raw result "Connect"
Then using the searches of "Disconnect" focus on "dest_port" and "Connect" focus on "src_port"
-Subtract the _time(s) of dest_port and src_port which will equal the "Total Time"
-To give me the time difference based on dest_port and src_port
If I search:
2222222 dest_port="" OR 1111111 src_port="" --It will give me ONLY 2222222 and highlight src_Port AND dest_port of 2222222
I dont want that! 🙂 I want it to only highlight 2222222 dest_port and 1111111 src_port --I dont want the two searchest to cross over the "OR" I guess is what I'm trying to say... --How do I make two unique searches and be able to subtract the _time of, said above, to give me my goal?
Linked is the search of 2222222 dest_port="" OR 1111111 src_port="" --To show you what I mean. Disregard the double fields..not sure why they are doubled at the moment.
I'm far from sure that I understand your question, but it seems like you're not using parentheses when you should be. What you had was
2222222 dest_port="*" OR 1111111 src_port="*"
but this will mean 2222222 AND (dest_port="" OR 1111111) AND src_port=""
I think what you want is:
( 2222222 dest_port="*") OR (1111111 src_port="*")
But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side?
If so then you would use the eval command to make yourself a field that did have the same name from one side to the other, to make _time values as appropriate, and then stats to roll it all together.
I'm making a ton of assumptions, but this might not be totally off base:
( 2222222 dest_port="*") OR (1111111 src_port="*")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval myPortField=if(isnotnull(disconnect_time),dest_port,myPortField)
| eval myPortField=if(isnotnull(connect_time),src_port,myPortField)
| stats min(connect_time) as connect max(disconnect_time) as disconnect by myPortField
I'm far from sure that I understand your question, but it seems like you're not using parentheses when you should be. What you had was
2222222 dest_port="*" OR 1111111 src_port="*"
but this will mean 2222222 AND (dest_port="" OR 1111111) AND src_port=""
I think what you want is:
( 2222222 dest_port="*") OR (1111111 src_port="*")
But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side?
If so then you would use the eval command to make yourself a field that did have the same name from one side to the other, to make _time values as appropriate, and then stats to roll it all together.
I'm making a ton of assumptions, but this might not be totally off base:
( 2222222 dest_port="*") OR (1111111 src_port="*")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval myPortField=if(isnotnull(disconnect_time),dest_port,myPortField)
| eval myPortField=if(isnotnull(connect_time),src_port,myPortField)
| stats min(connect_time) as connect max(disconnect_time) as disconnect by myPortField
I posted an additional question if you have a few minutes?
Here is the search you wanted me to do:
" I think what you want is:
( 2222222 dest_port="") OR (1111111 src_port="")
"
HERE is the result of that search which gives me both src and dest port
If you notice both src_port and dest_port are highlighted. I tried every way I could to somehow combine the searches to be totally 2 seperate searches of the two fields but was unsuccessful.
Mind you I do have a false positive from snort that does not have the same ephemeral port and may have blank times --or is there a way to say "if none are the same then NOTshow ?
I'd like to have:
Summary--
SRC IP Total Time
SRC IP Total Time
-Of all unique SRC IP's
&
Total Time from ALL as a total calculation ( which will be based on the search time frame I select)
Sooo Close!!! WOW!!!! I would have never even got close!
Click Here to see
Your question:
"But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side? "
- YES The Src_port value of one side is equal to dest_port value --Ephemeral Port