topic How do I search for IP address hitting a host? in Splunk Search

How do I search for IP address hitting a host?

balu1211 — Thu, 17 Nov 2022 14:41:08 GMT

Re: How do I Search for IP address hitting a Host ?

gcusello — Wed, 16 Nov 2022 16:29:20 GMT

Hi @balu1211,

which Data Sources have you available (Firewall, VPN, network traffic, operative system, applications)?

Could you better describe your request?

Ciao.

Giuseppe

Re: How do I Search for IP address hitting a Host ?

balu1211 — Wed, 16 Nov 2022 16:50:10 GMT

@gcusello

My use case is like findings the public ip addresses hitting the WAF Host.

Re: How do I Search for IP address hitting a Host ?

gcusello — Wed, 16 Nov 2022 17:00:57 GMT

Hi @balu1211,

I don't know if someone else is able to help you, but without information I don't know how to do it!

Please, share more information.

Ciao.

Giuseppe

Re: How do I Search for IP address hitting a Host ?

balu1211 — Thu, 17 Nov 2022 02:29:08 GMT

@gcusello

I have a index waf in which i have to find out the number of unique clientip , policyname,action by host name and adding lookup table in search to exclude ips of lookup table.

Re: How do I Search for IP address hitting a Host ?

gcusello — Thu, 17 Nov 2022 06:58:21 GMT

Hi @balu1211,

ok, please try something like this (to adapt to your real fields):

index=waf NOT [ | inputlookup your_lookup | fields ip ] | stats dc(clientip) AS clientip_count values(clientip) AS clientip dc(policyname) AS policyname_count values(policyname) AS policyname dc(action) AS action_count values(action) AS action by host

if you don't want the list of values of clientip, policyname and action, remove the values options.

Ciao.

Giuseppe

Re: How do I Search for IP address hitting a Host ?

balu1211 — Wed, 14 Dec 2022 11:15:38 GMT

Re: How do I Search for IP address hitting a Host ?

balu1211 — Thu, 15 Dec 2022 13:32:40 GMT

Re: How do I Search for IP address hitting a Host ?

gcusello — Wed, 14 Dec 2022 07:07:48 GMT

Hi @balu1211 ,

your search isn't optimized: don't use search after search, put all the serche terme in the main search to have a moro efficient search:

then, use quotes when you have spaces or special chars in field names (e.g. "Policy Name"), but probably it was a copy error.

Other than efficiency, what's the problem of your search?

Ciao.

Giuseppe

Re: How do I Search for IP address hitting a Host ?

balu1211 — Thu, 15 Dec 2022 13:32:01 GMT

...

Re: How do I search for IP address hitting a host?

balu1211 — Wed, 14 Dec 2022 09:51:51 GMT

@gcusello
In the output i need a whois on that IP like WHOIS.net url

Re: How do I Search for IP address hitting a Host ?

balu1211 — Wed, 14 Dec 2022 17:13:10 GMT

@gcusello

Could you please look into this above scenario....

Re: How do I Search for IP address hitting a Host ?

gcusello — Wed, 14 Dec 2022 17:33:46 GMT

Hi @balu1211 ,

sorry but I don't understand: do you want to add ip_details that are in the ip_add.csv lookup?

if this is your need, you could add a lookup command after the stats command.

index=waf action_waf IN ("deny") NOT [ | inputlookup ip_add.csv | table IP | rename IP as "client_ip" | format ] | rename "attackData.clientIP" as "client_ip","attackData.policyId" as "Policy ID", "attackData.rules{}.message" as "message" | lookup policyname.csv "Policy ID" OUTPUT "Policy Name" | stats values(Policy Name) as "policy_name", values(waf_rules) as waf_rules,values(message) as message count by "client_ip","action_waf" | lookup ip_add.csv IP AS client_ip OUTPUTNEW client_ip_details | where count > 100 | fields + client_ip_details

Ciao.

Giuseppe