topic Re: How do I find top 10 ports used by attackers? in Splunk Search

How do I find top 10 ports used by attackers?

jpsnlyle — Sat, 14 Dec 2019 23:54:47 GMT

I'm not using Regex. There are over 370,00 events, and the payload of the data reads like this:

payload: {"attackerPort": 4031, "victimPort": 8080, "victimIP": "172.31.14.66", "attackerIP": "222.486.21.184", "connectionType":
"initial"}

Re: How do I find top 10 ports used by attackers?

woodcock — Sun, 15 Dec 2019 06:52:01 GMT

Use KV_MODE = json for your sourcetype on your Search Head and you will get all of those fields extracted for free. Then depending on what you mean, start with this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"

Then do either this:

| top 10 victimPort

Or this:

| top 10 attackerPort

Re: How do I find top 10 ports used by attackers?

to4kawa — Sun, 15 Dec 2019 09:51:27 GMT

| makeresults 
| eval _raw="{\"payload\": {\"attackerPort\": 4031, \"victimPort\": 8080, \"victimIP\": \"172.31.14.66\", \"attackerIP\": \"222.486.21.184\", \"connectionType\": \"initial\"}}"
| spath
| fields - _*
`comment("the logic is blow")` 
| rename payload.* as *
| table attackerPort victimPort victimIP attackerIP
| eventstats count as attackerPort_count by attackerPort
| eventstats count as victimPort_count by victimPort
| eventstats count as victimIP_count by victimIP
| eventstats count as attackerIP_count by attackerIP
| sort 10 - attackerPort_count

I think that top is certainly good.
However, it might be nice to have other information.

Re: How do I find top 10 ports used by attackers?

jpsnlyle — Sun, 15 Dec 2019 16:48:59 GMT

I run those 12 commands seperately, or as one? And do I need the source and sourcetype?

Re: How do I find top 10 ports used by attackers?

to4kawa — Sun, 15 Dec 2019 22:22:47 GMT

First of all, please copy and run all of them.
Erase once
Then add a comment below to your query and run it