topic Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period? in Splunk Search

How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

wingfieldj — Thu, 28 Jul 2016 19:50:04 GMT

Using syslog data, how do I find if 3 systems go to a common webpage in a 48 hour period?

I have 3 IP sources with OR between them in a search...

Do you pipe this to associate and find the destination IP addresses in common?

Rare values do not seem to work...

Jim W.

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

somesoni2 — Thu, 28 Jul 2016 21:25:23 GMT

Please post some sample data, queries that you tried so far and expected output.

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

JDukeSplunk — Fri, 29 Jul 2016 02:49:04 GMT

Sample data would be good.

I usually have to enclose my OR searches.

 (10.0.0.0 OR 10.0.0.1 OR 10.0.0.2)

Even better if your fields are extracted. Source and destination IP.

yourbasesearch | stats count(sourceip) as COUNT destinationip sourceip

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

somesoni2 — Tue, 29 Sep 2020 10:25:19 GMT

Without knowing much about your data/queries, give this a try. This is assuming src_ip and dest_ip fields are extracted.
Update
Updating the field name per comment below

index=foo sourcetype=bar src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 
| bucket span=2d _time | stats dc(src_ip) as ips by _time dst_ip | where ips=3

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

wingfieldj — Mon, 15 Aug 2016 13:55:30 GMT

thanks for your responses....
so new to complex searches...

Restating the scenario: Using the firewall logs, I am trying to find common website/destination IP that 3 known users have in common...due to bad guy activity on the src_IP, like malware

So I could set a custom filter for the block of time...to remove that complexity.

I tried the following - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=2d _time  |  stats dc(src_ip) as ips by  dest_ip

The following had 12000 events no matches...But I know they all three had gone to the same dst_ip in the last 2 hours...

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=120m _time  |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - Error in Stats command

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC |  stats count(src_ip) as COUNT dst_ip src_ip

The following with custom time set results in 10085

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC| stats count(src_ip) as COUNT

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

sundareshr — Tue, 29 Sep 2020 10:40:46 GMT

Try this to list all dest_ip visited by all three src_ip in the past 2 days

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC earliest=-2d@d | stats dc(src_ip) as src by dest_ip | where src=3 | table dest_ip

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

somesoni2 — Tue, 29 Sep 2020 10:38:21 GMT

Can you check if the field dest_ip existing in your events and both src_ip and dest_ip appears in the same event? Your first two searches should've returned result if both fields exists.

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

wingfieldj — Tue, 29 Sep 2020 10:41:03 GMT

yes src_ip and dst_ip are in the same event

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | top 10 dst_ip

results in 10 ip addresses...and clicking on the ip address will show the events for each of the addresses in the search and some additional addresses...so that is almost it ( not exclusive to the three listed ips)

Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

somesoni2 — Tue, 29 Sep 2020 10:38:32 GMT

There you go, the field name that you were trying is different in your logs (it's dst_ip instead of dest_ip).

This should work now

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=2d _time | stats dc(src_ip) as ips by dst_ip