All Apps and Add-ons

Cisco eStreamer for Splunk: How to build a search to find false positives when src_ip and dest_ip fall within a particular subnet or internal network?

New Member

Hello Everyone,

I am in a situation here and i need to understand something. We are using Cisco eStreamer for Splunk app to get results from IPS.

I have a task where I need to conclude false positives in this fashion.

If src_ip and dst_ip falls within a subnet (cannot disclose here) and/or is a part of an internal network then to show it as a False positive. I am not able to understand how exactly i'll craft a search. Any help will be appreciated.

Thanks.

0 Karma

Builder

Have you looked at the correlation engine to craft a special rule whereby you get a 'Correlation Event' when that occurs? This wouldn't eliminate the underlying false positive but it would create a separate event that you could reference. You could search for both and correlate them in Splunk.

You could also create custom snort rules but that would depend on exactly what your criteria is.

0 Karma

Builder

Unless you create a policy and at least on rule that is triggered there won't be any events.

Doug

0 Karma

Builder

Sorry. Go to 'Policies' then Correlation.

0 Karma

Builder

From the top menu, right after login, go to Analysis, then Correlation, then correlation events. You need to create a Correlation Policy, at least one rule for that policy and then apply the correlation policy to the device(s) monitoring that see the traffic you want to monitor. There is quite a bit to do here if you've never done it. You could call TAC and get help on this. They'll be able to get you through all the detail.

On Snort rules I'm not sure its the right way. You'd creating a rule to tell yo that a condition occurred which is what's currently happening already with false positives.

You could create edit policy around the Src/Dst IPs, somehow exclude them from analysis. But again I'm completely sure if this is the right way to go.

0 Karma

New Member

I see correlation event summary however, there are no results being shown up there.

0 Karma

New Member

Sorry Douglas,

This is a lot of downloading for me as i am a newbie in splunk and still getting my hands on.

Couple of questions :-

How do i look at the correlation engine.
Also, can we create a custom snort rule in splunk, if yes how?

Thanks and Regards.

0 Karma