Installation

Mac address spoof search?

shandman
Path Finder

I've been trying to get this to work with my data but can't seem to get it to work. https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?ut...

here is the query i'm running.
index=windows sourcetype=dhcpsrvlog ... | stats dc(dhcp_mac) as macCount values(dhcp_mac) as mac by dhcp_hostname | search macCount>1

I run that for the past 30 days, during which time I have spoofed mac addresses with 0 results coming up with this search. Am I missing something?

Labels (2)
Tags (2)
0 Karma

shandman
Path Finder

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

Thanks again for the help guys.

0 Karma

shandman
Path Finder

Ah. I see. No the search is showing with dest_mac and dest_nt_host

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Then your query should be

index=windows sourcetype=dhcpsrvlog ... | stats dc(dest_mac) as macCount values(dest_mac) as mac by dest_nt_host| search macCount>1
0 Karma

shandman
Path Finder

Now there is a plethora of hosts showing up with slightly different mac addresses. 1340 results . Looks like maybe they have multiple network interfaces? How can I adjust the search to show when another host takes on the mac address of a host? Thus showing when a mac address has been spoofed? Thanks guys.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @shandman,

When you run this query index=windows sourcetype=dhcpsrvlog ... are you getting dhcp_mac and dhcp_hostname in interesting field on left hand side in splunk?

0 Karma

blacknight659
Explorer

Same question, But make sure you are in Smart or Verbose mode when you check this.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...