Getting Data In

How to add the destination port value for a firewall events in splunk ?

Hemnaath
Motivator

Hi All,

Today one of the user notified that for some of the events the events the destination port field value was left blank. On further investigation on this issue, found that there are many values in the service field that are resolved services instead of port numbers. Only the values in "service" with an actual number are parsed as "dest_port" while values in "service" that are resolved as words are not included.

Actual Requirement:
Instead of the word of the service, just put the value of the port number in the logs.

Sample data:

Event Details: 1 
time=1522839628|loc=17629694|fileid=1522834250|action=accept|orig=node1fw.xxx.com|i/f_dir=inbound|i/f_name=bond0.905|has_accounting=0|logId=-1|log_type=log|log_sequence_num=0|is_first_for_luuid=131072|log_version=1|uuid=<5ac4b04c,00000000,14fcd00a,c0000002>|product=VPN-1 & FireWall-1|inzone=Internal|outzone=External|rule=35|rule_uid=
{07FA4A1E-BF88-4F51-9428-3BAB6AABE07A} 
|rule_name=External DNS|service_id=domain-udp|src=xxxx.xxx.com|s_port=23293|dst=x.x.x.x|service=domain-udp|proto=udp|xlatesrc=node1fw-cluster_External_Interface|xlatesport=43676|xlatedport=Unknown|NAT_rulenum=13|NAT_addtnl_rulenum=1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag=
{E0D0044A-9CB4-8248-86D9-9DE7A3F332DF} 
;mgmt=node3;date=1518285268;policy_name=Efficiency_Hubs]|origin_sic_name=CN=node1fw.xxx.com,O=xxxx.xxx.com.eovv25
Event Actions
Field name =Service
Field Value =domain-udp
Missing Field = dest_port 

In this case service field value is in word and due to this dest_port field value is left blank.

Event Details: 2
time=1522839333|loc=17636317|fileid=1522834250|action=drop|orig=node2fw.xxx.com|i/f_dir=inbound|i/f_name=bond0.999|has_accounting=0|logId=0|log_type=log|log_sequence_num=658|is_first_for_luuid=131072|log_version=5|origin_sic_name=CN=node2fw.xxx.com,O=xxxx.xxx.com.eovv25|uuid=<00000000,00000000,00000000,00000000>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag=
{64E4675C-B552-0B41-B0C9-1DEEDD8E89A6} 
;mgmt=node3;date=1521389454;policy_name=Global-2]|inzone=External|outzone=Internal|service_id=TCP_3500-5100|src=x.x.x.x|s_port=51209|dst=x.x.x.x|**service=4031**|proto=tcp|match_id=844|match_table.match_id=844|layer_uuid=d22a0707-816b-4ba3-9cf3-912b56dac9a7|match_table.layer_uuid=d22a0707-816b-4ba3-9cf3-912b56dac9a7|layer_name=Global-2 Security|match_table.layer_name=Global-2 Security|rule_uid=031fcba9-d6a7-409d-a3d3-52aff242a063|match_table.rule_uid=031fcba9-d6a7-409d-a3d3-52aff242a063|rule_name=Explicit Drop|match_table.rule_name=Explicit Drop|rule_action=0|match_table.rule_action=0|parent_rule=0|match_table.parent_rule=0
Field Name: Service
Field Value: 4031

In this case we are able to get the dest_port field value as 4031.

Kindly guide me how to fix this issue.

thanks in advance.

0 Karma

FrankVl
Ultra Champion

I see 2 solution directions for this:

  1. Create an automatic lookup that translates non-numeric service field entries into their numeric equivalent. If you're not familiar with how to do that, start by reading: http://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Addfieldsfromexternaldatasources
  2. See if you (or your firewall admin) can configure this on the Checkpoint side somehow, to only log numeric values instead of service names. If possible, that would be the option I would prefer personally.
0 Karma

xpac
SplunkTrust
SplunkTrust

So... you're talking about a TA/app you downloaded? Or something you built yourself?
There's a bunch of information missing...

0 Karma

Hemnaath
Motivator

hey xpac, we had downloaded from splunk base and renamed the add-on as per the naming standard ed followed in our organization. We have done very minor customization in it. This is the Props.conf stanza that are mapped to sourcetype=opsec.

Props.conf: 
[opsec]
KV_MODE          = none

TRANSFORMS-fix_am_sourcetype = opsec_sourcetype_anti_malware
TRANSFORMS-fix_av_sourcetype = opsec_sourcetype_anti_virus
TRANSFORMS-fix_sd_sourcetype = opsec_sourcetype_smartdefense
TRANSFORMS-fix_te_sourcetype = opsec_sourcetype_threat_emulation
TRANSFORMS-fix_vpn_sourcetype = opsec_sourcetype_vpn

REPORT-0policy_id_tag_for_opsec     = policy_id_tag_for_opsec, db_tag_for_opsec, mgmt_for_opsec, policy_date_for_opsec, policy_name_for_opsec
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
REPORT-auto_kv_for_opsec            = auto_kv_for_opsec
REPORT-inbound_interface_for_opsec  = inbound_interface_for_opsec
REPORT-outbound_interface_for_opsec = outbound_interface_for_opsec
REPORT-opsec_product = opsec_product_field,opsec_product
REPORT-opsec_vendor_operation = opsec_vender_operation_field

FIELDALIAS-dest_for_opsec = dst as dest, dst as dest_ip
FIELDALIAS-src_for_opsec = src as src_ip
FIELDALIAS-direction_for_opsec = i_f_dir as direction
FIELDALIAS-dvc_for_opsec       = orig as dvc
FIELDALIAS-event_id_for_opsec  = loc as event_id 
FIELDALIAS-vendor_product = product as vendor_product
FIELDALIAS-vendor_action = action as vendor_action
FIELDALIAS-dest_interface = outbound_interface as dest_interface
FIELDALIAS-src_interface = inbound_interface as src_interface
FIELDALIAS-icmp_code = ICMP as icmp_code
FIELDALIAS-icmp_type = ICMP_Type as icmp_type
FIELDALIAS-packets_in = client_inbound_packets as packets_in
FIELDALIAS-packets_out = client_outbound_packets as packets_out
FIELDALIAS-src_zone  = inzone as src_zone
FIELDALIAS-dest_zone  = outzone as dest_zone

EVAL-dvc_ip = if(match(orig,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), orig, null)
EVAL-rule = case(isnull(rule),policy_name,(not isnum(rule)),rule,isnotnull(policy_name),policy_name,1==1,null)
EVAL-rule_id =  if(isnum(rule),rule,null)
EVAL-src_port = if(isnum(s_port),s_port,null)
EVAL-src_svc = if(isnum(s_port),null,s_port)
EVAL-dest_port = if(isnum(service),service,null)
EVAL-dest_svc = if(isnum(service),null,service)
EVAL-transport = case(lower(proto)=="tcp","tcp",lower(proto)=="udp","udp",lower(proto)=="icmp","icmp",1==1,null)
EVAL-received_bytes = if (received_bytes < 0, 2147483647, received_bytes)
EVAL-sent_bytes = if(sent_bytes < 0, 2147483647, sent_bytes)
EVAL-bytes_in = if (received_bytes < 0, 2147483647, received_bytes)
EVAL-bytes_out = if(sent_bytes < 0, 2147483647, sent_bytes)
EVAL-bytes = if(bytes < 0, 2147483647, bytes)
EVAL-client_inbound_bytes = if(client_inbound_bytes < 0, 2147483647, client_inbound_bytes)
EVAL-client_outbound_bytes = if(client_outbound_bytes < 0, 2147483647,client_outbound_bytes)
EVAL-server_inbound_bytes = if(server_inbound_bytes < 0, 2147483647, server_inbound_bytes)
EVAL-server_outbound_bytes = if(server_outbound_bytes < 0, 2147483647,server_outbound_bytes)

LOOKUP-action_for_opsec       = checkpoint_opsec_action_lookup vendor_action OUTPUT action
LOOKUP-vendor_info_for_opsec   = checkpoint_vendor_info_lookup sourcetype OUTPUTNEW vendor,product,vendor_product
LOOKUP-vendor_info_for_opsec2   = checkpoint_vendor_info_lookup sourcetype OUTPUTNEW product as opsec_product

Kindly guide me how to fix the issue.
thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...