Solved: How to build an external static lookup table for F...

ktang · ‎10-20-2014

Hello Splunk Answers,

I am looking to build a static lookup table for Firewall ACL lookup. Essentially, I would like the lookup to match on dst_port and determine if the port matches an existing acl rule name. I have an any-any rule that I'm trying to clean-up and the idea is to have Splunk tell me if the dst_port matches an existing acl rule entry. If no rule match is made, then the connection is permitted via an any-any rule.

I'm looking to match on dst_port. In this example, traffic connections on 80, 53 would match rule_name like in the example below.
fields:
dst_port, rule_name
80, permit_web
53, permit_dns

The idea is, if traffic connections do not match on a specific entry, then state something like this:
dst_port, rule_name
8748, any_any

I appreciate the assistance.
-ktang

musskopf · ‎10-20-2014

Do you already have the lookup working for the matching ones? If yes, just use a | fillnull -value "any_any" rule_name

View solution in original post

musskopf · ‎10-20-2014

Do you already have the lookup working for the matching ones? If yes, just use a | fillnull -value "any_any" rule_name

ktang · ‎11-14-2014

That worked! thanks musskopf

How to build an external static lookup table for Firewall ACL auditing to match on dst_port and determine if the port matches an existing ACL rule?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases