Solved: 2 searches, focus on 1 unique field of the two sea...

Xe03kfp · ‎02-06-2013

I have a log of a few hundreds SNORT alerts:
-All alerts have "the same" fields but in order to find my needle in the haystack, I have to
search for two fields; in the results of the search is my "unique" value.

Example:

<1 Search:
2222222 dest_port="*" --I want the STAR Value and its _time --AND possibly call the _raw results "Disconnect"

<2 Search:
1111111 src_port="*" --I want the STAR value and its _time --AND possbily call the _raw result "Connect"

Then using the searches of "Disconnect" focus on "dest_port" and "Connect" focus on "src_port"
-Subtract the _time(s) of dest_port and src_port which will equal the "Total Time"
-To give me the time difference based on dest_port and src_port

If I search:

2222222 dest_port="" OR 1111111 src_port="" --It will give me ONLY 2222222 and highlight src_Port AND dest_port of 2222222

I dont want that! 🙂 I want it to only highlight 2222222 dest_port and 1111111 src_port --I dont want the two searchest to cross over the "OR" I guess is what I'm trying to say... --How do I make two unique searches and be able to subtract the _time of, said above, to give me my goal?

Linked is the search of 2222222 dest_port="" OR 1111111 src_port="" --To show you what I mean. Disregard the double fields..not sure why they are doubled at the moment.

Click Here

sideview · ‎02-06-2013

I'm far from sure that I understand your question, but it seems like you're not using parentheses when you should be. What you had was

2222222 dest_port="*" OR 1111111 src_port="*"

but this will mean 2222222 AND (dest_port="" OR 1111111) AND src_port=""

I think what you want is:

( 2222222 dest_port="*") OR (1111111 src_port="*")

But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side?

If so then you would use the eval command to make yourself a field that did have the same name from one side to the other, to make _time values as appropriate, and then stats to roll it all together.

I'm making a ton of assumptions, but this might not be totally off base:

( 2222222 dest_port="*") OR (1111111 src_port="*") | eval disconnect_time=if(match(_raw,"2222222"),_time,null()) | eval connect_time=if(match(_raw,"1111111"),_time,null()) | eval myPortField=if(isnotnull(disconnect_time),dest_port,myPortField) | eval myPortField=if(isnotnull(connect_time),src_port,myPortField) | stats min(connect_time) as connect max(disconnect_time) as disconnect by myPortField

View solution in original post

sideview · ‎02-06-2013

I'm far from sure that I understand your question, but it seems like you're not using parentheses when you should be. What you had was

2222222 dest_port="*" OR 1111111 src_port="*"

but this will mean 2222222 AND (dest_port="" OR 1111111) AND src_port=""

I think what you want is:

( 2222222 dest_port="*") OR (1111111 src_port="*")

But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side?

If so then you would use the eval command to make yourself a field that did have the same name from one side to the other, to make _time values as appropriate, and then stats to roll it all together.

I'm making a ton of assumptions, but this might not be totally off base:

( 2222222 dest_port="*") OR (1111111 src_port="*") | eval disconnect_time=if(match(_raw,"2222222"),_time,null()) | eval connect_time=if(match(_raw,"1111111"),_time,null()) | eval myPortField=if(isnotnull(disconnect_time),dest_port,myPortField) | eval myPortField=if(isnotnull(connect_time),src_port,myPortField) | stats min(connect_time) as connect max(disconnect_time) as disconnect by myPortField

Xe03kfp · ‎02-07-2013

I posted an additional question if you have a few minutes?

-=HERE=-

Xe03kfp · ‎02-06-2013

Here is the search you wanted me to do:

" I think what you want is:

( 2222222 dest_port="") OR (1111111 src_port="")

"

HERE is the result of that search which gives me both src and dest port

If you notice both src_port and dest_port are highlighted. I tried every way I could to somehow combine the searches to be totally 2 seperate searches of the two fields but was unsuccessful.

Xe03kfp · ‎02-06-2013

Mind you I do have a false positive from snort that does not have the same ephemeral port and may have blank times --or is there a way to say "if none are the same then NOTshow ?

Xe03kfp · ‎02-06-2013

Is why I had to search for two fields but only interested in the src and dest port fields. I needed to create a search that will arrive at giving me the 2222222 and 1111111 ephemeral port and calculate the time _time of 2222222 - _time 1111111 = Total time

I'd like to have:
Summary--
SRC IP Total Time
SRC IP Total Time
-Of all unique SRC IP's
&
Total Time from ALL as a total calculation ( which will be based on the search time frame I select)

Xe03kfp · ‎02-06-2013

Sooo Close!!! WOW!!!! I would have never even got close!

Click Here to see

Your question:
"But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side? "
- YES The Src_port value of one side is equal to dest_port value --Ephemeral Port

2 searches, focus on 1 unique field of the two searches to do a calculation of time

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!