How can I create a supression/whitelist for traffi...

prakhar_2 · ‎12-07-2017

I want to create a suppression / whitelist for traffic between these IPs:
192.168.10.12/13/64/65 ---> 192.168.17.20/21

• Source Port:
o 25000
o 143
o 25002
• Destination Port:
o 443
o 25000
o 143
o 25001
o 993

I tried a search query as below however it is not working:

search NOT (((src="192.168.10.12" OR src="192.168.10.13" OR src="192.168.10.64" OR src="192.168.10.65") AND (src_port="25000" OR src_port="25002" OR src_port="143")) AND ((dest="192.168.17.20" OR dest="192.168.17.21") AND (dest_port="143" OR dest_port="443" OR dest_port="993" OR dest_port="25000" OR dest_port="25001")))

Kindly help to get this done.

somesoni2 · ‎12-07-2017

Try this. There will be 4 (#src) * 3 (#src_port) * 2 (#dest) * 5(#dest_port) =120 combinations to be excluded. The subsearch generates the same. See Inspect job for Normalized search.

your base search NOT [| gentimes start=-1 | eval src=split("192.168.10.12 192.168.10.13 192.168.10.64 192.168.10.65"," ") | table src | mvexpand src | eval src_port=split("25000 143 25002", " ") | mvexpand src_port | eval dest=split("192.168.17.20 192.168.17.21"," ") | mvexpand dest | eval dest_port=split("443 25000 143 25001 993"," ") | mvexpand dest_port | format]

How can I create a supression/whitelist for traffic between two IP addresses?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor