Splunk Search

Security search question, F/W log, where one host to multiple host detection.

clyde772
Communicator

Let assume the following,

  1. the data source for analysis is Firewall traffic log. I guess It could be applied to any firewall since they all have smilar info in the logs.

From the above firewall log, I need to investigate the following :

  1. Get a list of hosts that are sending packets to exccesive amount of hosts (in number of sessions)
  2. Basically I need to create a dashboard that sums up hosts that are making excessive number of sessions.

In order for me to do this, I guess I need to count the number of Destination IP based on Source IPs. I want to create splunk search critiria to accomplish this.

I guess process pattern blow :

IP SRC=10.1.1.7, DEST=211.123.23.4, IP SRC=10.1.1.7, DEST=121.33.13.7, IP SRC=10.1.1.7, DEST=21.13.32.3, IP SRC=10.1.1.7, DEST=172.23.185.5, IP SRC=10.1.1.7, DEST=231.53.2.82, IP SRC=10.1.1.7, DEST=23.35.78.2, IP SRC=10.1.1.7, DEST=221.73.5.123, IP SRC=10.1.1.7, DEST=81.33.98.44, IP SRC=10.1.1.7, DEST=78.19.21.25, IP SRC=10.1.1.7, DEST=62.53.76.89, IP SRC=10.1.1.7, DEST=2341.3.2.125,

To get results like :

10.2.7.32 87 Connections 10.1.1.7 11 Connections

etc..

Tags (1)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Seems to me that simple:

... | stats distinct_count(DEST) by SRC

or

... | stats count by DEST,SRC | stats count by SRC 

would do it.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...