Re: What are some search tips for network traffic ...

debugger · ‎07-13-2022

Background story: We have some customers using a site to site VPN to reach our corporate networks. The customer has like 3-4 network prefixes in their environment. I want to check network traffic counters to see if the customer networks are sending/receiving any traffic to/from my corporate network. Please share some suggested searches. I'm looking for ANY type of network traffic.

For example:

customer network A 192.168.1.0/24

customer network B 192.168.2.0/24

debugger · ‎07-14-2022

I would like to scan for activity within the prefixes like 192.168.1.0/24 but I'm not sure if cidrmatch is appropriate or how the syntax would work.

ITWhisperer · ‎07-14-2022

What data have you ingested into Splunk?

debugger · ‎07-14-2022

Do you mean datasets? I believe that this is syslog data from routers and firewalls. Pardon my limited knowledge of splunk.

ITWhisperer · ‎07-14-2022

OK so what data in your data set do you have that will give you the information you require?

(The key to using Splunk is understanding your data. Splunk can then help you derive additional information / insights from the data.)

debugger · ‎07-14-2022

sourcetype=dns:logs

Does that help? Right now I'm just running a verbose search like this:

index=* 192.168.1.* or 192.168.2.* | stats county by src_ip, dest_ip service

There must be a better way to search for IP traffic.

What are some search tips for network traffic history analysis?

administration

using Splunk Enterprise

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team