Hi All,
We have netscreen ISG 2000 firewall in our network and it has been integrated with Splunk and we are receiving logs as well. Recently I was told to get the following from the logs.
1. Source IP(Public IP)
2. Destination IP(NATTED IP)
3. Actual Destination IP (real IP with out network)
4. Policy ID
5. Port Number
I wrote the below SPL
index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port AND "ip=192.168.." | stats count by src dst dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSEIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT
I was able to get everything except for the real Destination IP which shows in the logs. Below is the logs which is forwarded from the firewall to splunk.
Nov 21 07:56:35 10.0.9.12 RYDFWJISG2k-2: NetScreen device_id=RYDFWJISG2k-2 [Root]system-notification-00257(traffic): start_time="2016-11-21 07:55:28" duration=0 policy_id=371 service=https proto=6 src zone=ISP2-Untrust dst zone=DMZ2 action=Permit sent=0 rcvd=0 src=5.41.198.127 dst=87.101.204.3 src_port=1925 dst_port=443 src-xlated ip=5.41.198.127 port=1925 dst-xlated ip=192.168.4.201 port=443 session_id=968548 reason=Creation
I am looking for this IP which says dst-xlated ip=192.168.4.201.
So in the SPL i wrote to search by dst-xlated as given above but I dont get the orginal IP but only the public IP from our side and client side. statisitical logs are give below.
SOURCE_OUTSEIDE DESTINATION_INSIDE DESTINATION_PORT ZONE POLICY_ID COUNT
1 87.101.155.38 87.101.204.1 443 ISP2-Untrust 374 9903
2 149.202.30.95 87.101.204.3 443 ISP2-Untrust 371 1953
How do I get the real IP which client is trying to access at our end.
Awaiting a reply. Thank you in advance.
Regards
Pradeep
How are the fields extracted? My guess is the dst-xlated values is the second index in a mvfield called ip. Try this
index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | eval dst_ip=mvindex(ip, 1) | stats count by src dst_ip dst dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT
*OR* if that does not return the correct value, you will have to regex the field value. Try this
index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | rex field=_raw "dst-xlated\sip=(?<dst_ip>[^\s]+)" | stats count by src dst_ip dst dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT
Hi Sundar,
Thank you very much for your reply. The first SPL did not work but the 2nd one did. Thank you for your help.
Regards
Pradeep
How are the fields extracted? My guess is the dst-xlated values is the second index in a mvfield called ip. Try this
index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | eval dst_ip=mvindex(ip, 1) | stats count by src dst_ip dst dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT
*OR* if that does not return the correct value, you will have to regex the field value. Try this
index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | rex field=_raw "dst-xlated\sip=(?<dst_ip>[^\s]+)" | stats count by src dst_ip dst dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT
Hi Sundar,
Thank you very much for your reply. The first SPL did not work but the 2nd one did. Thank you for your help.
Regards
Pradeep