Splunk Search

How to group two different events together that share the same source and destination IP address?

DEAD_BEEF
Builder

I'm having trouble writing a search query that looks for one specific event followed by different specific event within 1minute where the same source and destination IP address are seen in both events. I thought transaction might do it, but I don't know how to link the two queries. Maybe subsearch into the the second search and then transaction? I'm trying to write a search that would alert on a specific exploit kit where the first event is the silverlight plug-in and the second event is the payload.

1st Event - Silverlight Plug-in

index=bro bytes_in>=6000 bytes_in<=40000 url="*req=xap*" mime_type=application/x-silverlight-app

2nd Event - Payload

index=bro bytes_in>=80000 bytes_in<=600000 url="*req=mp3&num*" (mime_type=application/octet-stream OR mime_type=application/x-msdownload OR mime_type=application/x-ms-dos-executable)

How do I link these two events based on same src_ip, dst_ip, maxspan=1m and 1st event before 2nd event? Halp.

0 Karma
1 Solution

lguinn2
Legend

It seems like this might be the place to start

index=bro (bytes_in>=6000 bytes_in<=40000 url="*req=xap*" mime_type=application/x-silverlight-app) OR 
(bytes_in>=80000 bytes_in<=600000 url="*req=mp3&num*" (mime_type=application/octet-stream OR mime_type=application/x-msdownload OR mime_type=application/x-ms-dos-executable))
| transaction src_ip dst_ip maxspan=1m startswith=eval(mime_type==application/x-silverlight-app) endswith=(mime_type==application/octet-stream OR mime_type==application/x-msdownload OR mime_type==application/x-ms-dos-executable)

But if you want to do it in a more manual way, this might also work

index=bro (bytes_in>=6000 bytes_in<=40000 url="*req=xap*" mime_type=application/x-silverlight-app) OR 
(bytes_in>=80000 bytes_in<=600000 url="*req=mp3&num*" (mime_type=application/octet-stream OR mime_type=application/x-msdownload OR mime_type=application/x-ms-dos-executable))
| eval eventId=if(mime_type==application/x-silverlight-app,1,2)
| eval ipCombo = src_ip . "+" .  dst_ip
| sort 0 ipCombo _time eventId
| streamstats current=f window=1 last(_time) as lastEventTime last(eventId) as  lastEventId  last(url) as lastURL by ipCombo
| eval timeDiff = _time - lastEventTime
| where eventId=2 and lastEventId=1 and timediff <=60

View solution in original post

lguinn2
Legend

It seems like this might be the place to start

index=bro (bytes_in>=6000 bytes_in<=40000 url="*req=xap*" mime_type=application/x-silverlight-app) OR 
(bytes_in>=80000 bytes_in<=600000 url="*req=mp3&num*" (mime_type=application/octet-stream OR mime_type=application/x-msdownload OR mime_type=application/x-ms-dos-executable))
| transaction src_ip dst_ip maxspan=1m startswith=eval(mime_type==application/x-silverlight-app) endswith=(mime_type==application/octet-stream OR mime_type==application/x-msdownload OR mime_type==application/x-ms-dos-executable)

But if you want to do it in a more manual way, this might also work

index=bro (bytes_in>=6000 bytes_in<=40000 url="*req=xap*" mime_type=application/x-silverlight-app) OR 
(bytes_in>=80000 bytes_in<=600000 url="*req=mp3&num*" (mime_type=application/octet-stream OR mime_type=application/x-msdownload OR mime_type=application/x-ms-dos-executable))
| eval eventId=if(mime_type==application/x-silverlight-app,1,2)
| eval ipCombo = src_ip . "+" .  dst_ip
| sort 0 ipCombo _time eventId
| streamstats current=f window=1 last(_time) as lastEventTime last(eventId) as  lastEventId  last(url) as lastURL by ipCombo
| eval timeDiff = _time - lastEventTime
| where eventId=2 and lastEventId=1 and timediff <=60

lguinn2
Legend

Solution #2 Explanation: First, the search finds all the events of the various mime-types.

Second, a field called "eventId" is set to 1 for the silverlight mime type, or 2 for all other mime types. This is so we can categorize the events later. Next, the "ipCombo" field is created, which will contain the combination of source and destination IPs like this "192.168.10.200+54.24.168.150". This just gives me a tag to work with.

The data is sorted so that IPs are grouped, and ordered within each group by timestamp. If there are multiple events with the same timestamp, the silverlight event (if it exists) will come first.

The streamstats command is not very efficient (neither is transaction BTW). But it lets you look at prior events. In my answer I set the windon to 1, so it only looks at the prior event. It captures the timestamp of the prior event as lastEventTime, the prior eventId and the prior URL. Since streamstats is grouped by ipCombo, it will look at each group separately.

Next to last: we compute the time difference between the current event and the prior event.

Finally, the where command keeps only the events where the prior event had mime-type=silverlight and the prior event occurred within the last minute.

But if the first solution works, then go with it!

0 Karma

DEAD_BEEF
Builder

I've begun testing the first solution you suggested with minor syntax corrections (listed below in case others find it useful) and it looks like it might be what I wanted.

index=bro (bytes_in>=6000 bytes_in<=40000 url="*req=xap*" mime_type=application/x-silverlight-app) OR (bytes_in>=80000 bytes_in<=600000 url="*req=mp3&num*" (mime_type=application/octet-stream OR mime_type=application/x-msdownload OR mime_type=application/x-ms-dos-executable)) | transaction src_ip,dst_ip maxspan=1m startswith=eval(mime_type="application/x-silverlight-app") endswith=(mime_type="application/octet-stream" OR mime_type="application/x-msdownload" OR mime_type="application/x-ms-dos-executable")

Would you mind explaining suggestion 2? There is a lot going on that I don't quite understand and its going over my head... thanks 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...