All Apps and Add-ons

Cisco eStreamer for Splunk: How to build a search to find false positives when src_ip and dest_ip fall within a particular subnet or internal network?

pdixit
New Member

Hello Everyone,

I am in a situation here and i need to understand something. We are using Cisco eStreamer for Splunk app to get results from IPS.

I have a task where I need to conclude false positives in this fashion.

If src_ip and dst_ip falls within a subnet (cannot disclose here) and/or is a part of an internal network then to show it as a False positive. I am not able to understand how exactly i'll craft a search. Any help will be appreciated.

Thanks.

0 Karma

douglashurd
Builder

Have you looked at the correlation engine to craft a special rule whereby you get a 'Correlation Event' when that occurs? This wouldn't eliminate the underlying false positive but it would create a separate event that you could reference. You could search for both and correlate them in Splunk.

You could also create custom snort rules but that would depend on exactly what your criteria is.

0 Karma

douglashurd
Builder

Unless you create a policy and at least on rule that is triggered there won't be any events.

Doug

0 Karma

douglashurd
Builder

Sorry. Go to 'Policies' then Correlation.

0 Karma

douglashurd
Builder

From the top menu, right after login, go to Analysis, then Correlation, then correlation events. You need to create a Correlation Policy, at least one rule for that policy and then apply the correlation policy to the device(s) monitoring that see the traffic you want to monitor. There is quite a bit to do here if you've never done it. You could call TAC and get help on this. They'll be able to get you through all the detail.

On Snort rules I'm not sure its the right way. You'd creating a rule to tell yo that a condition occurred which is what's currently happening already with false positives.

You could create edit policy around the Src/Dst IPs, somehow exclude them from analysis. But again I'm completely sure if this is the right way to go.

0 Karma

pdixit
New Member

I see correlation event summary however, there are no results being shown up there.

0 Karma

pdixit
New Member

Sorry Douglas,

This is a lot of downloading for me as i am a newbie in splunk and still getting my hands on.

Couple of questions :-

How do i look at the correlation engine.
Also, can we create a custom snort rule in splunk, if yes how?

Thanks and Regards.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...