Splunk Search

Follow-Up: Appendcols or other options for searching a sub-search on port ranges

jlundtristate
New Member

In my previous question I didn't think a join would work, but somesoni2, proved that it would work. The only problem was it didn't scale.

search netactivity | stats count by source, destination, protocol, destinationport
2. | join type=left source, destination, protocol, destinationport
3. [ | inputlookup allowedrules | eval Port=split(Port,"-")
4. | eval s=tonumber(mvindex(Port,0))| eval e=tonumber(mvindex(Port,1))
5. | eval destinationport=mvrange(s,e+1,1) | mvexpand destinationport
6. | table Source Destination Protocol destinationport ApprovedBy
7. | rename Source as source Destination as destination Protocol as protocol ]

As the allowedrules table was being updated, we found the need to have a number of entries between distinct sources and destinations for high ports (49152-65535) over 16,000 ports per source/destination combination. Quickly we found that the mvrange and mvexpand option above, grew the allowedrules table too large to be effective (actually, there must be a limit to an inputlookup or our limits.conf needed to be re-configured because we would find that the table would not grow larger that 12,000 entries. So I am back trying to come up with a better option.

I have tried a map search looking for the source, destination and protocol, then parsing the Port (if it contains a "-") to then compare the port (if startport <= Port AND endport >= Port).

for some reason

search netactivity | stats count by source, destination, protocol, destinationport | map search="| inputlookup allowedrules | search Src=$source$ Dest=$destination$ Proto=$protocol$ | eval Destport=$destinationport$ | table Src, Dest, Proto, Destport"

pulls all the allowedrules for the source/destination/protocol combination, but as soon as I add the logic to test if the destinationport falls within the port range, no matches are found:

search netactivity | stats count by source, destination, protocol, destinationport | map search="| inputlookup allowedrules | search Src=$source$ Dest=$destination$ Proto=$protocol$ | eval Destport=$destinationport$ | eval tmpPort=split(Port,"-") | eval startport=tonumber(mvindex(tmpPort,0)) | eval endport=if(mvcount(tmpPort)>0,tonumber(mvindex(tmpPort,1)), startport) | search startport<=Destport AND endport>=Destport | eval Status=if(isnotNull(ApproveBy), ApproveBy, "Not Approved") | table Src, Dest, Proto, Destport, Status"

Thanks in advance for any help.

Jason

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

search netactivity | stats count by source, destination, protocol, destinationport 
| lookup allowedrules Source as source Destination as destination Protocol as protocol OUTPUT Port
| eval Port=split(Port,"-") | eval start=tonumber(mvindex(Port,0)) | eval end=tonumber(mvindex(Port,-1))
| where destinationport>=start AND destinationport<=end
0 Karma

jlundtristate
New Member

lookup doesn't work because there could be multiple allowedrules for the same source/destination/protocol combination - then the Port value(s) returned from the lookup may have
123
580-590
6000-6500
49152-65535

also, this works for events where the Port falls within the range, but for those that fail the where, how do you still capture the original source, destination, protocol and destinationport and indicate "needs reviewed"

example: we need to verify each event in the table and add a field that indicates the status - communication is allowed or is not found in our allowed rules, so it should be reviewed.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming the Port returned is multivalued fields if there exists multiple rows in the lookup for a source/destination/protocol combination, then try this version:

search netactivity | stats count by source, destination, protocol, destinationport 
 | lookup allowedrules Source as source Destination as destination Protocol as protocol OUTPUT Port
| eval Port=coalesce(Port,"No Allowed Rules found,Need Review")
| mvexpand Port
 | eval Port=split(Port,"-") | eval start=tonumber(mvindex(Port,0)) | eval end=tonumber(mvindex(Port,-1))
 | eval Status=case(Port="No Allowed Rules found,Need Review", "No Allowed Rules found,Need Review", destinationport>=start AND destinationport<=end ,"communication is allowed", true(),null())
| stats values(Status) as Status values(count) as count by source, destination, protocol, destinationport 
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...