Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

module to check for multiple IP addresses...

lcrites
New Member
‎05-29-2012 03:15 PM

Y'all;

I need to [ find | build ] a module that will return real-time status of hits on a rather large number of IP addresses. I am trying to check for all of the currently registered exit nodes from the TOR network. The number could range from nearly 1,000 to over 2,000 addresses.

I already have a process that will build a text file with the IP addresses in a sorted file. Now I'm looking for a module (or any other solution) that will watch the log files to see who is connecting from one of those addresses, and give me a real-time alert when it occurs.

Baring that, can anyone point me to a working shell for a module that I might be able to change to accomplish this. I have loads of programming experience, but 3 days of dealing with Splunk.

Thanks muchly,

Lee

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dshpritz
SplunkTrust
SplunkTrust
‎05-29-2012 03:56 PM

Hello Lee,

If you have the IP addresses in a CSV (or just a header with one IP on each line), you can use a lookup to accomplish this. So, let's say you have a list of TOR nodes in a lookup named torexitnodes.csv, with contents like this:

ipaddress

1.1.1.1

2.2.2.2

3.3.3.3

Then you can use a search like this to check for hits against that lookup:
sourcetype=firewall [|inputlookup torexitnodes.csv | fields ipaddress | rename ipaddress as dest_ip]

Some sources:
http://blogs.splunk.com/2011/08/16/getwatchlist-getting-watchlists-into-splunk-quickly-and-easily-wi...

http://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

dshpritz
SplunkTrust
SplunkTrust
‎05-29-2012 03:56 PM

Hello Lee,

If you have the IP addresses in a CSV (or just a header with one IP on each line), you can use a lookup to accomplish this. So, let's say you have a list of TOR nodes in a lookup named torexitnodes.csv, with contents like this:

ipaddress

1.1.1.1

2.2.2.2

3.3.3.3

Then you can use a search like this to check for hits against that lookup:
sourcetype=firewall [|inputlookup torexitnodes.csv | fields ipaddress | rename ipaddress as dest_ip]

Some sources:
http://blogs.splunk.com/2011/08/16/getwatchlist-getting-watchlists-into-splunk-quickly-and-easily-wi...

http://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf

Reply
Solved! Jump to solution

lcrites
New Member
‎05-30-2012 11:41 AM

Coolness! Thanks for the head's up. I'm working on my first module(s). I thought this one might be the most difficult, but if the code above is what I think it is, then it might be one of the easier ones.

Thanks muchly!!!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...