topic How to search cisco firewall Deny actions based on internal source IPs against multiple external IP subnets? in Splunk Search

How to search cisco firewall Deny actions based on internal source IPs against multiple external IP subnets?

artheb — Wed, 11 Feb 2015 06:03:16 GMT

Hi There,

This is my first post so wanted to say Hello!
I am trying to create an alert for possible Deny action on our firewall from 3 different internal IPs against multiple external IP subnets not single IPs.

I found this post http://answers.splunk.com/answers/57094/join-ip-with-a-subnet.html
and created ip_lookups.csv and transforms.conf

ip_lookups.csv has following format (ip ranges changed for demo purpose)
ip,location
200.100.32.0/19,target1 255.255.224.0
100.200.30.0/19,target2 255.255.224.0
50.60.80.0/20,target3 255.255.240.0

Could you advise on how to create a search rule to reflect the target subnets based on the ip_lookups.csv, please? Maybe there is a better way of doing it.
Thanks.

Re: How to search cisco firewall Deny actions based on internal source IPs against multiple external IP subnets?

thomrs — Wed, 11 Feb 2015 23:35:07 GMT

This works:

* | head 1 | eval ip = "192.168.0.11" | search ip=192.168.0.1/24

Re: How to search cisco firewall Deny actions based on internal source IPs against multiple external IP subnets?

artheb — Mon, 16 Feb 2015 11:54:08 GMT

I tried to put it in my full search but it does not seem to work.

sourcetype=syslog source=/opt/splunk/rsyslog/udp/cisco.log host=firewall1 Deny tcp src 
|head 1 |  eval ip=“10.10.10.101” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]
| append [head 2 |  eval ip=“10.10.10.102” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]
| append [head 3 |  eval ip=“10.10.10.103” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]

Could you advise, please?

Re: How to search cisco firewall Deny actions based on internal source IPs against multiple external IP subnets?

artheb — Tue, 24 Feb 2015 10:30:25 GMT

Anyone could help on this?