Security

Find top IPs by # of unique ports attempted scan in FW logs

kevinlong206
New Member

Hi, another newbie question here.

I am analyzing firewall logs in this format:

Apr 4 22:03:18 10.20.10.1 Apr 4 22:05:47 X300 X300/FW_Activity: Info X300 type=FWD|proto=UDP|srcIF=p6|srcIP=174.61.183.230|srcPort=55555|srcMAC=66:66:01:58:04:18|dstIP=207.115.88.202|dstPort=55555|dstService=|dstIF=|rule=BLOCKALL|info=Block by Rule|srcNAT=0.0.0.0|dstNAT=0.0.0.0|duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=

I want to find the top 100 srcIPs BY how many # of unique dstPort the attempted to access, so I can find people who obviously portscanned my network.

something like "BLOCKALL | top 100 srcIP BY uniq dstPort
How can I find top srcIP by # of unique dstPort ?

Thank you!

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could run this:

rule=BLOCKALL | stats dc(dstPort) as num_unique_ports by srcIP | sort - num_unique_ports | head 100
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...