All Apps and Add-ons

How I can use IP-reputation with snort alert logs?

hespinoza
New Member

hello:

How I can use IP-reputation with snort alert logs?

thanks

0 Karma

hespinoza
New Member

EXTRACT-clientip = (?\d+.\d+.\d+.\d+)(?::\d+)* -> \d+.\d+.\d+.\d+(?::\d+)\s$

0 Karma

Matthias_BY
Communicator

Hi,

you need to extract the source ip address into the "clientip" field. once done you can create lookups with

| lookup threatscore clientip | table clientip threatscore

you'll then have a table with all attacking ip's + the threat score enriched. In case you have a lot of logs - you might do this via summary reports to avoid that everytime you review your report it's loaded and the lookup is generating a lot of dns requests.

br
matthias

0 Karma

Ayn
Legend

Well how DO you want to use IP reputation with snort alert logs?

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...