Getting Data In

Firewall Services Search

gharpe2
Explorer

Need a search to list the top 25 non-http and non-https services people are connecting to through my ASA. Does anyone have a search for that? I would like to list the port, protocol and number of times connections were made.

Thanks,
glh

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

Hi, while I do not completely understand your post, I can give the following example of a search , assuming that you have the following fields extracted (either manually or automatically)

destination port :dst_port;
protocol: proto

<your_source/sourcetype> dst_port!="80" dst_port!="443" | stats count by dst_port proto | sort - count | head 25 

hope this helps,

Kristian

0 Karma

gharpe2
Explorer

Sample Events:

9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.223.7.21/2999 to 109.13.183.81/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

2 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106006: Deny inbound UDP from 62.192.232.25/54657 to 63.78.74.228/35731 on interface outside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

3 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.222.7.13/3954 to 109.21.83.57/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options
0 Karma

kristian_kolb
Ultra Champion

Hi,

Please provide a few samples events from your log.

And also, please delete your duplicate forum post "Firewall Traffic".

/kristian

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...