- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Port scan search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am searching for a method to take the ip address port records from traffic coming from the internet onto our network and plot the number of ports per ip address in the time interval with the highest number of ports per ip on top and ignoring low ports/ip if possible for optimization. The goal of this search is to identify port scans and related activity. I have been battling the issue of using dc (direct count) with time chart, and with where, top or sort by using AS to pass the dc information. I currently have a chart which groups many ip addresses into an "Other" data line. My current search looks like this:
sourcetype=target_traffic src_zone=target-INTERNET dst_zone!=target-INTERNET | timechart span=1s dc(dst_port) AS port_scan by src_ip | sort port_scan
(I have modified the search with the string "target" in place of more specific identifiers.)
After the "Other" issue is worked out, I would be interested to have the lower dc(dst_port) values dropped. Are there any issues with the code and what improvements are needed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the search, as suggested above. I saw an error in the timechart with having time=1s. I think that error comes from being after the bucket section. I also saw an error with using port_scan in timechart instead of dc(dst_port), so I adjusted the timechart to go without time=1s and to replace the port_scan with the dc as follows:
my search | bucket span=1s _time | eventstats dc(dst_port) AS port_scan by src_ip, _time | where port_scan > 2 | timechart dc(dst_port) by src_ip
Over the last 4 hours, I see one IP with values of 3 and 6. This should mean that it made 3 port connections and 6 port connections within a single second at two distinct times. A few more IPs are now popping up as well, so I think this is working as intended. Thank you very much for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the search, as suggested above. I saw an error in the timechart with having time=1s. I think that error comes from being after the bucket section. I also saw an error with using port_scan in timechart instead of dc(dst_port), so I adjusted the timechart to go without time=1s and to replace the port_scan with the dc as follows:
my search | bucket span=1s _time | eventstats dc(dst_port) AS port_scan by src_ip, _time | where port_scan > 2 | timechart dc(dst_port) by src_ip
Over the last 4 hours, I see one IP with values of 3 and 6. This should mean that it made 3 port connections and 6 port connections within a single second at two distinct times. A few more IPs are now popping up as well, so I think this is working as intended. Thank you very much for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I have understood.. By your search it is like you are counting distinct ports of destination, but you have not specified for single IP or multiple IP.
That is, It will count from one source IP, to multiple destination IP, and it's destination ports visited.
So to get the specific result you can specify destination IP and it should give the right result.
my search | bucket span=1s _time | eventstats dc(dst_port) AS port_scan by src_ip, dst_ip, _time | where port_scan > 2 | timechart dc(dst_port) by src_ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very interesting perspective. thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just before the eventstats, use bucket command and include _time in eventstats.
your search| bucket span=1s _time | eventstats dc(dst_port) AS port_scan by src_ip, _time | ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It won't let me edit the original post so I am adding it here.
Added:
Using eventstats seems to enable the filtering by number of port_scan per ip but unlike the timechart's span=1s option to apply the dc(dst_port) on 1s window intervals, it grabs the dc(dst_port) on the entire search window. Perhaps their is a window option in stats or in streamstats similar to the timechart's time window? The code I am using to add the dc(dst_port) filter on the entire search time window is:
| eventstats dc(dst_port) AS port_scan by src_ip | where port_scan > 2 | sort port_scan |
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
