Security

Mining firewall logs for "interesting" domains

camda03
New Member

I have a series of firewall logs and a few lists of “interesting” domains.

I would like to “mine” the logs to find any instances where traffic is going to the interesting domains.

As a further complication, some of the logs don’t have translated addresses (i.e. they’re in four octets), but all of the domain lists are translated (e.g. xyz.com).

Please let me know.

Tags (1)
0 Karma

ftk
Motivator

I would create a lookup table that relates each of your interesting domains with its IP address. Then do a search for your plaintext domain list, as well as any IPs that are in the interesting domain IP lookup table.

williamche
Path Finder

You can try the Geo Location Lookup Script plugin to get location based meta data for the IP addresses. Here's a similar one that uses Google Maps to map the locations.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...