topic Re: Is there a way to search for internal to external traffic? in Getting Data In

Is there a way to search for internal to external traffic?

bezotic — Tue, 18 Jul 2017 18:17:39 GMT

Is there a way to search for internal to external traffic?

The network I work on is pretty locked down and any internal ip attempting to connect to an external source or vice versa
would be considered suspicious. The SIEM we use is broken at the moment so a quick fix would be to look at internal to external
traffic through Splunk. I'm not an expert at Splunk and was wondering if something like this is possible. Maybe equate internal to source and external to destination? Basically any query that could get me internal to external traffic. How could I search for internal hosts going to an external source?

Re: Is there a way to search for internal to external traffic?

DalJeanis — Tue, 18 Jul 2017 21:09:33 GMT

Okay, I'm not at work so I can't pull the "obvious internal ips" straight off out of my head, but if you generate a list of internal IPs, then everything not on the list is external.

Create a lookup table, and for any event, pull the ips, do a lookup on each. If not found, then alert. (First just yourself, while developing, to find what you've forgotten. After you've got it reasonably clean, then you can alert more broadly.

Rinse, repeat.

Re: Is there a way to search for internal to external traffic?

DalJeanis — Tue, 18 Jul 2017 21:14:28 GMT

Oh, first cut, I'd want to ignore the proxy logs, assuming they are functioning as expected, and check everything else internal first. Because, you know, our proxy servers are intended to carry external traffic, so one end will (almost) always be outside.