All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to correlate two sides of an HTTP session as presented by NetFlow?

jackhamm25
Explorer
‎04-28-2017 04:13 PM

My NetFlow generator captures both ends of an HTTP session and provides the metadata to Splunk via the Splunk Add-on for IPFIX. (Splunk_TA_ipfix). The issue I'm experiencing is that each side of the connection appears as a discrete event. For example (sanitized data ahead):

4/28/17
10:48:29.000 PM 
Sequence="408451"; Template="568"; destinationIPv4Address="10.20.30.40"; protocolIdentifier="6"; sourceTransportPort="80"; destinationTransportPort="58820"; tcpDestinationPort="58820"; tcpSourcePort="80"; udpDestinationPort="0"; udpSourcePort="0"; sourceIPv4Address="5.4.3.2"; HttpRspStatus="200"; HttpReqUrl="";
destinationIPv4Address = 10.20.30.40 eventtype = netflow sourceIPv4Address = 5.4.3.2 sourceTransportPort = 80 tcpDestinationPort =  58820 tcpSourcePort =  80

4/28/17
10:48:29.000 PM 
Sequence="408450"; Template="568"; destinationIPv4Address="5.4.3.2"; protocolIdentifier="6"; sourceTransportPort="58286"; destinationTransportPort="80"; tcpDestinationPort="80"; tcpSourcePort="58286"; udpDestinationPort="0"; udpSourcePort="0"; sourceIPv4Address="10.20.30.40"; HttpRspStatus="0";  HttpReqUrl="www.example.com";

My goal is to stitch together the full event such that I'm able to see both the HttpReqUrl and the HttpRspStatus as a single entry e.g. HttpReqUrl=www.example.com HttpRespStatus=200. Note that for HTTP request, the response is 0 and for the response, the request is null.

I've tried various evals and transactions, but I've gotten nowhere. Either I end up with too greedy of situation or the events remain apart. I've checked and, unfortunately, the sequence number is not sufficient for stitching (that's not a TCP sequence either, but rather a Netflow sequence - either way, didn't help).

0 Karma
Reply

NetFlow_Logic
Contributor
‎05-04-2017 11:37 AM

We are a Splunk partner and we provide this functionality in one of our NetFlow Optimizer Logic Modules reporting Host Pairs network conversations. This Module stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields in one syslog message.

Try NetFlow Optimizer for free by visiting https://www.netflowlogic.com/download/

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...