Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for and alert on duplicate IP address assignments?

kgangulw
Engager
‎03-08-2015 11:21 PM

Hello,

We seem to be having an intermittent issue with our SRX3400 firewall where it sometimes issues duplicate IPs to devices. I'm trying to work out how we can go about setting an alert soon as such an event occurs. Ideally the alert should check for this condition every 1 hour. I have copied the actual event showing the duplicate IP address assignment. (This is a bug in the SRX and we're working on it separately). Any help is appreciated.

Mar  5 10:37:57 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for XX.XX.XX.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be

Mar  5 10:35:43 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for XX.XX.XX.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎03-09-2015 12:17 AM

Hi kgangulw,

take this run everywhere example to get an idea how it can be done:

index=_internal | head 1 | eval foo="
Mar 5 10:37:57 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
Mar 5 10:35:43 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
" 
| rex max_match=0 field=foo "for\s(?<myIP>[\d\.]+).+?to\s(?<myMAC>[\d\w:]+)" 
| bucket _time span=1h
| stats count(myIP) AS myCount by myMAC 
| where myCount > 2

This will create some fields for IP's and MAC's and count the IP for each MAC within one hour and shows only results if the count is more than 2. Save the search and setup alerting, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Aboutalerts

Also you should setup the fields for IP and MAC if they do not exists, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎03-09-2015 12:17 AM

Hi kgangulw,

take this run everywhere example to get an idea how it can be done:

index=_internal | head 1 | eval foo="
Mar 5 10:37:57 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
Mar 5 10:35:43 F3400 /kernel: KERN_ARP_ADDR_CHANGE: arp info overwritten for 192.168.1.122 from 00:05:0d:ef:5e:4c to 00:1a:a0:49:54:be
" 
| rex max_match=0 field=foo "for\s(?<myIP>[\d\.]+).+?to\s(?<myMAC>[\d\w:]+)" 
| bucket _time span=1h
| stats count(myIP) AS myCount by myMAC 
| where myCount > 2

This will create some fields for IP's and MAC's and count the IP for each MAC within one hour and shows only results if the count is more than 2. Save the search and setup alerting, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Aboutalerts

Also you should setup the fields for IP and MAC if they do not exists, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

kgangulw
Engager
‎03-09-2015 01:36 AM

Hi MuS

Thanks a lot for providing the sample. I'm running into a bit of issues with the above, but let me ask a few questions so i can see if this can be figured out.

in your sample foo="xxxxxxxx" i'm assuming is the particular string i want to evaluate?

rex max_match=0 field=foo "for\s(?[\d.]+).+?to\s(?[\d\w:]+)" - This one I'm not sure what it does. Could you elaborate or tell me where i can find the info to see what this above statement does.

Thank you.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎03-09-2015 01:59 AM

sorry if this was too confusing .... you can use the search string starting at line 5. Line 1 - 4 where only to rebuild your provided events. So using this should work for you:

your base search here | rex max_match=0 field=_raw "for\s(?<myIP>[\d\.]+).+?to\s(?<myMAC>[\d\w:]+)" 
 | bucket _time span=1h
 | stats count(myIP) AS myCount by myMAC 
 | where myCount > 2
Reply
Solved! Jump to solution

kgangulw
Engager
‎03-09-2015 02:07 AM

Excellent Thank you very much Mus:)

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top