Re: How to write a search and alert if one IP visi...

Moon629 · ‎06-11-2015

Hi,

Now, we have the following use case, but I don't know how to write the search. Please help~

In application log, let's define "visit URL1, URL2, URL3......continuously in order" as a Visit Order;

Then how to set up an alert as the following:

When one IP visits one Visit Order to exceed N times in the time range T, then alert.

Please note, the Visit Order is not set up at the beginning.

Thanks in advance~^_^

stephanefotso · ‎06-11-2015

View your comment, you must first extract IP and URL to detect that clientIP1 visit an order - "URL1, URL2, URL3"
Here you go.

   .... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|table IP url

You can also count .......

   .... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|transaction IP startswith=(url=URL1) endswith=(url=URL3)|stats count

Thanks

SGF

Moon629 · ‎06-15-2015

Thanks for your help. But the URL1, URL2, URL3...are not defined at the beginning, which means we want to detect the visit order which visited by one IP for many times.

stephanefotso · ‎06-15-2015

Try like this

.... |rex field=_raw "^(?:[^ \n]* ){2}(?P<IP>\w+)\s+[^\)\n]*\)\"\s+\"(?P<url>\w+)"|eventstats earliest(url) as start_url latest(url) as end_url by IP|transaction IP startswith=(url=start_url) endswith=(url=end_url)|stats count

SGF

stephanefotso · ‎06-11-2015

Hello! Can we get a sample data of your log, and also please can you explain how one IP visits one Visit Order? Maybe something which can help write the query?
Thanks

SGF

Moon629 · ‎06-11-2015

oh, hello~
It is acc log, I cannot export the log since it is in production, but I can give an example if can help.
how to detect clientIP1 visit an order - "URL1, URL2, URL3" for 2 times?
2015-06-11 19:25:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:26:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:27:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44
2015-06-11 19:28:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL4" 0.0030 44
2015-06-11 19:29:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL1" 0.0030 44
2015-06-11 19:30:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL2" 0.0030 44
2015-06-11 19:31:17 clientIP1 userID destinationIP - GET /./app_images/keepSession.gif "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "URL3" 0.0030 44

How to write a search and alert if one IP visits one Visit Order over N number of times within a certain time range (T)?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio