- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to find firewall logs with e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am looking for information on how I would go about monitoring firewall logs with excessive accepts to the same destination for at least 50 source IP address in 5 minutes.
Currently, I have the search below, but I am not sure how to create the correlation logic to work.
sourcetype=firewall action=accept| transaction SourceIP maxevents=100 maxpause=5m |stats values(DestIP) by SourceIP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So sundareshr's queries are good ways to see the conditions you mention over time. The question is what do you want to do with this information? If it is to take some sort of action (run a script, alert, etc) then I'd move from timechart to stats and schedule the search to run every 5 min. The other question I have is if you are going to take some action I'd build an eventtype that looks at IP information to determine if traffic is originating external to your org and coming in, originating inside and going out, inside and staying inside, and outside and going outside (useful for detecting misconfigs or where you need to update your eventtype. In my environment those are ext_to_int, int_to_ext, int_to_int, and ext_to_ext respectively. The query I'd propose, assuming this is scheduled and assuming you are looking for something like a DOS, is
sourcetype=firewall action=accept eventtype=ext_to_int | stats dc(SourceIP) as SourceIPs by DestIP | where SourceIPs > 50
I'd also recommend checking out Splunk's common information model (CIM) and suggest changing the field names/introducing field aliases so that SourceIP is src_ip and DestIP is dest_ip,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So sundareshr's queries are good ways to see the conditions you mention over time. The question is what do you want to do with this information? If it is to take some sort of action (run a script, alert, etc) then I'd move from timechart to stats and schedule the search to run every 5 min. The other question I have is if you are going to take some action I'd build an eventtype that looks at IP information to determine if traffic is originating external to your org and coming in, originating inside and going out, inside and staying inside, and outside and going outside (useful for detecting misconfigs or where you need to update your eventtype. In my environment those are ext_to_int, int_to_ext, int_to_int, and ext_to_ext respectively. The query I'd propose, assuming this is scheduled and assuming you are looking for something like a DOS, is
sourcetype=firewall action=accept eventtype=ext_to_int | stats dc(SourceIP) as SourceIPs by DestIP | where SourceIPs > 50
I'd also recommend checking out Splunk's common information model (CIM) and suggest changing the field names/introducing field aliases so that SourceIP is src_ip and DestIP is dest_ip,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. For DestIP, it will show count of requests and the SourceIP accepted.
sourcetype=firewall action=accept | timechart span=5m values(SourceIP) as SourceIP count by DestIP | where count>50
*OR*
sourcetype=firewall action=accept | timechart span=5m values(SourceIP) as SourceIP dc(SouceIP) as count by DestIP | where count>50
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
