topic Re: Splunk Query about Port Scanning attack attempts in Splunk Search

Splunk Query about Port Scanning attack attempts

zeeshantayyab — Thu, 28 Apr 2022 07:18:14 GMT

Hi Team,

Please help me out in this case.

I am searching the Port Scanning attack attempts by the following query.

index="firewall" | stats dc(destination_port) as pcount by source_ip | where pcount > 500

It Shows me the results in forms only like sorce_ip is 145.132.11.11 and p count 777.

But I want the results in the form of

Sorce_ip sorce_port destination_ip destnation_port pcount

So what will be the query in this regard? Waiting for your kind reply.

Re: Splunk Query about Port Scanning attack attempts

gcusello — Thu, 28 Apr 2022 07:23:54 GMT

Hi @zeeshantayyab,

I think that it isn't so readable, but you could a values option to your search, something like this:

index="firewall" | stats dc(destination_port) as pcount values(destination_port) AS destination_port by source_ip | where pcount > 500

probably the best approach is to have a main panel with your search and, with a click, a drilldown in another panel or another dashboard with the details of al destination port and other information.

Ciao.

Giuseppe

Re: Splunk Query about Port Scanning attack attempts

zeeshantayyab — Thu, 28 Apr 2022 07:37:27 GMT

hi @gcusello

Thanks for helping me. please guide me more on how we can add the destination IP as well in this query.

Re: Splunk Query about Port Scanning attack attempts

gcusello — Thu, 28 Apr 2022 09:57:59 GMT

Hi @zeeshantayyab,

you could add also the destination_ip to the search using values:

index="firewall" | stats dc(destination_port) as pcount values(destination_ip) AS destination_ip values(destination_port) AS destination_port by source_ip | where pcount > 500

but in this way you have a few readable dashboard, my hint is to create a simple main search

index="firewall" | stats dc(destination_port) as pcount by source_ip | where pcount > 500

then you can configure a drilldown in another panel of the same dashboard or in another dashboard where there's the details of your connections:

index="firewall" source_ip=$source_ip$ | stats values(destination_port) AS destination_port by destination_ip

if you need help in drilldown configuration you can see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/) how to do this.

Ciao.

Giuseppe