I am looking for a way to do two searches on two fields and of the two searches, only take 1 of the fields to do a calculation. The calculation will be the total time of a RDP connection to a workstation. I have Snort setup to give me an alert for a connection and disconnection and Splunk displaying the results in the correct format "alert_fast_full"
Sample of the log: Full log located HERE
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:1111111:0] Snort Alert [1:1111111:0] [*]
[Classification: RDC Connection Established] [Priority: 10]
Event ID: 30 Event Reference: 30
01/25/13-16:00:04.843359 10.7.0.39:3763 -> 192.168.254.97:3309
TCP TTL:127 TOS:0x0 ID:6857 IpLen:20 DgmLen:87 DF
**AP* Seq: 0xE84B548E Ack: 0xC5D81F3E Win: 0x100 TcpLen: 20
03 00 00 2F 2A E0 00 00 00 00 00 43 6F 6F 6B 69 .../......Cooki
65 3A 20 6D 73 74 73 68 61 73 68 3D 41 64 6D 69 e: mstshash=Admi
6E 69 73 74 72 0D 0A 01 00 08 00 0B 00 00 00 nistr..........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] [1:2222222:0] Snort Alert [1:2222222:0] [**]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 29 Event Reference: 29
01/25/13-16:00:04.106860 192.168.254.97:3309 -> 10.7.0.39:3762
TCP TTL:127 TOS:0x0 ID:29375 IpLen:20 DgmLen:40 DF
*A*R* Seq: 0x673B29EE Ack: 0x97AD3E87 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:2222222:0] Snort Alert [1:2222222:0] [*]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 28 Event Reference: 28
01/25/13-15:59:58.521247 192.168.254.97:3308 -> 10.7.0.39:3761
TCP TTL:127 TOS:0x0 ID:12121 IpLen:20 DgmLen:40 DF
**A*R Seq: 0x8249C886 Ack: 0x1D15B360 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:2222222:0] Snort Alert [1:2222222:0] [*]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 27 Event Reference: 27
01/25/13-15:59:52.824224 192.168.254.97:3303 -> 10.7.0.39:3747
TCP TTL:127 TOS:0x0 ID:17495 IpLen:20 DgmLen:40 DF
**A*R Seq: 0x6DEB62CE Ack: 0x8CE5A9FC Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:1111111:0] Snort Alert [1:1111111:0] [*]
[Classification: RDC Connection Established] [Priority: 10]
Event ID: 26 Event Reference: 26
01/25/13-15:59:51.960445 10.7.0.39:3760 -> 192.168.254.97:3303
TCP TTL:127 TOS:0x0 ID:5899 IpLen:20 DgmLen:87 DF
**AP* Seq: 0x2EE48349 Ack: 0x33E7ADDF Win: 0x100 TcpLen: 20
03 00 00 2F 2A E0 00 00 00 00 00 43 6F 6F 6B 69 .../......Cooki
65 3A 20 6D 73 74 73 68 61 73 68 3D 41 64 6D 69 e: mstshash=Admi
6E 69 73 74 72 0D 0A 01 00 08 00 0B 00 00 00 nistr..........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] [1:2222222:0] Snort Alert [1:2222222:0] [**]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 25 Event Reference: 25
01/25/13-15:59:51.953843 192.168.254.97:3303 -> 10.7.0.39:3759
TCP TTL:127 TOS:0x0 ID:17272 IpLen:20 DgmLen:40 DF
*A*R* Seq: 0xC32E573F Ack: 0xF58DAC60 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
My search pattern:
Signature=2222222 dest_port="*" | fields - signature
-This gives me ONLY dest_port (What I want)
&
Signature=1111111 src_port="*" | fields - signature
-Ditto src_port (Also what I want)
The unique field I need is the src_port and dest_port due to it being an ephemeral port that is unique & same to the connection opening and closing.
I then want to do a calculation of the search above and subtract the dest_port time from src_port time to give me the overall connection time.
3301-3310 Calculate time based on search above
Total time = XXX hours minutes seconds for 1week 1month 5 days
I apologize if this is easy but I am still reading through the 5.5MB PDF Splunk documentation to give me a fuller scope of how to use Splunk to its greatest capability. 🙂
Have you looked at the transaction
command?
Signature=2222222 OR Signature=1111111 | transaction src_ip src_port dest_ip dest_port
transaction
will create two fields, eventcount
and duration
, which pretty much contain what you'd expect them to. 🙂
You could also use stats
to do something similar.
Signature=2222222 OR Signature=1111111 | stats range(_time) as duration by src_ip,src_port,dest_ip,dest_port
192.168.254.14 and 192.168.254.97 = Servers(Host)
Number 3 - Second search string does not calculate time due to the above problem and also I am getting the source IP mixed up in the results. Depicted-Here
Sorry.. I'm not sure why it posted like that.. 😞
Almost! 🙂
--I need the src_port of the 1111111 to be calculated by 222222222 dest_port Because the ephemeral port (randomized local port) is the uniq value. Both Snort signatures contain a 33xx port depending on what direction the packets are going.
I'd like to get a Report based on the calculation that can be submitted (exported or copy/pasted) and
possibly derive a report for top src_ip(s), which I think SplunkForSnort gives as a built in search.
I hope this clarifies my need a lil bit 🙂
And sorry for the multiple replies...I am only allotted so many characters.
Of the two searches: ("based on criteria") --Somehow "join" the two search results to show ONLY the src_port and dest_port
-The answer to the two searches are the MOST "uniq" to derive the calculation
I need.
"End Result" -- Yes
-Session times per connection between src_port and dest_port from a src_ip
FYI if someone is curious: *3301 - 3310 are the ports I have masqueraded to forward to 3389 of a certain workstation.
Response:
*So I do not have to specify the index or source I have specifically configured SplunkforSnort to look at one index.
Searches:
-This will only highlight the src_port(s)
-This will only highlight the dest_port(s)
Well points to you for diving in with Splunk AND Snort all in 1 go plus the comprehensive data provided! 😉
Just clarify please...2 searches, 2 fields (understood) of which you want only 1 of those - based on what criteria?
End result is that you wish to see session times per connection between source and destination?
ALSO! 🙂 Just FYI I am using "Splunk for Snort" with Maxmind and Sideview Utils.
And Splunk pulls the logs from a network drive; the central location for all Snorts to save their logs, instead of locally.
Also linked is a screen cap of what I see for fields.
And, the log I linked is an export from Splunk and not Snort. Splunk is displaying the Snort data inputs correctly from 2 snort IDS's