I wanted a timechart to show portscanning of Juniper routers, but have run into a snag that I can't figure out. The syslog message from the router follows this format:
2018-06-25T17:19:51+00:00 PFE_FW_SYSLOG_IP: FW: D (tcp|udp) (1 packets)
I'm defining a portscan as any srcip that hits any router on 10 or more distinct ports within a 30sec window. Here's the splunk query I'm using:
sourcetype=syslog PFE_FW_SYSLOG_IP AND " D " AND NOT (" 3784 " OR " 179 ") | rex field=_raw "(?<srcip>\d+\.\d+\.\d+\.\d+) (?<dstip>\d+\.\d+\.\d+\.\d+) (?<srcport>\d+) * (?<dstport>\d+)" | where dstport>=1 AND dstport<=30000 | bucket span=30s _time | eventstats dc(dstport) AS port_scan by srcip, dstip, _time | where port_scan > 10 | timechart dc(dstport) by srcip useother=f usenull=f
The timechart works properly when I've selected 8 hours of data, but stops working beyond 10 hours of previous data. If I slide the time selection to specify the previous time range, then timechart shows that there are srcips that meet the criteria that were not previously shown.
Any clues on how to get this to work?
... View more