Security

how to get actual IP from firewall logs when both real IP and NATTED IPs are shown in netscreen firewall ?

seetharamanPr
New Member

Hi All,

We have netscreen ISG 2000 firewall in our network and it has been integrated with Splunk and we are receiving logs as well. Recently I was told to get the following from the logs.
1. Source IP(Public IP)
2. Destination IP(NATTED IP)
3. Actual Destination IP (real IP with out network)
4. Policy ID
5. Port Number

I wrote the below SPL

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port AND "ip=192.168.." | stats count by src dst dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSEIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT

I was able to get everything except for the real Destination IP which shows in the logs. Below is the logs which is forwarded from the firewall to splunk.

Nov 21 07:56:35 10.0.9.12 RYDFWJISG2k-2: NetScreen device_id=RYDFWJISG2k-2 [Root]system-notification-00257(traffic): start_time="2016-11-21 07:55:28" duration=0 policy_id=371 service=https proto=6 src zone=ISP2-Untrust dst zone=DMZ2 action=Permit sent=0 rcvd=0 src=5.41.198.127 dst=87.101.204.3 src_port=1925 dst_port=443 src-xlated ip=5.41.198.127 port=1925 dst-xlated ip=192.168.4.201 port=443 session_id=968548 reason=Creation

I am looking for this IP which says dst-xlated ip=192.168.4.201.

So in the SPL i wrote to search by dst-xlated as given above but I dont get the orginal IP but only the public IP from our side and client side. statisitical logs are give below.

SOURCE_OUTSEIDE DESTINATION_INSIDE  DESTINATION_PORT    ZONE    POLICY_ID   COUNT

1 87.101.155.38 87.101.204.1 443 ISP2-Untrust 374 9903
2 149.202.30.95 87.101.204.3 443 ISP2-Untrust 371 1953

How do I get the real IP which client is trying to access at our end.

Awaiting a reply. Thank you in advance.

Regards
Pradeep

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

How are the fields extracted? My guess is the dst-xlated values is the second index in a mvfield called ip. Try this

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | eval dst_ip=mvindex(ip, 1) | stats count by src dst_ip dst  dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT

*OR* if that does not return the correct value, you will have to regex the field value. Try this

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | rex field=_raw "dst-xlated\sip=(?<dst_ip>[^\s]+)" | stats count by src dst_ip dst  dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT

View solution in original post

0 Karma

seetharamanPr
New Member

Hi Sundar,

Thank you very much for your reply. The first SPL did not work but the 2nd one did. Thank you for your help.

Regards
Pradeep

0 Karma

sundareshr
Legend

How are the fields extracted? My guess is the dst-xlated values is the second index in a mvfield called ip. Try this

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | eval dst_ip=mvindex(ip, 1) | stats count by src dst_ip dst  dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT

*OR* if that does not return the correct value, you will have to regex the field value. Try this

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | rex field=_raw "dst-xlated\sip=(?<dst_ip>[^\s]+)" | stats count by src dst_ip dst  dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT
0 Karma

seetharamanPr
New Member

Hi Sundar,

Thank you very much for your reply. The first SPL did not work but the 2nd one did. Thank you for your help.

Regards
Pradeep

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...