All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How I can use IP-reputation with snort alert logs?

hespinoza
New Member
‎06-28-2013 10:56 AM

hello:

How I can use IP-reputation with snort alert logs?

thanks

0 Karma
Reply

hespinoza
New Member
‎07-19-2013 02:46 PM

EXTRACT-clientip = (?\d+.\d+.\d+.\d+)(?::\d+)* -> \d+.\d+.\d+.\d+(?::\d+)\s$

0 Karma
Reply

Matthias_BY
Communicator
‎07-10-2013 03:44 AM

Hi,

you need to extract the source ip address into the "clientip" field. once done you can create lookups with

| lookup threatscore clientip | table clientip threatscore

you'll then have a table with all attacking ip's + the threat score enriched. In case you have a lot of logs - you might do this via summary reports to avoid that everytime you review your report it's loaded and the lookup is generating a lot of dns requests.

br
matthias

0 Karma
Reply

Ayn
Legend
‎06-28-2013 11:33 AM

Well how DO you want to use IP reputation with snort alert logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...