I've been reading this link here http://docs.splunk.com/Documentation/PCI/2.1.1/Install/Configureinterestingports and I need more information on how I can create a search using a network datamodel. I want to be able to create a search that uses this lookup table to show all the drops or blocks from certain IPs. I know that I can edit the lookup table that splunk has to add what I need but I need more information than this link provides. Any help would be great. Thanks.
If you're just adding the "interesting ports" you want to the lookup table it should be as simple as opening the csv and filling in the blanks. putting data into the correct comma separated value will be important too.
The example doesnt show the csv headers, but I assume these are them:
So that this line in the csv:
mail,127.0.0.1,*,25,tcp,false,false,false, Any host can communicate with itself on TCP port 25 in all domains. Please don't bug me if it does.
would create these KvPs:
app = mail
dest = 127.0.0.1
destpcidomain = *
destport = 25
transport = tcp
isrequired = false
isprohibited = false
issecure = false
note = Any host can communicate with itself on TCP port 25 in all domains. Please don't bug me if it does.
And this lookup table isnt going to give you any details about blocked/dropped packets. As the link says
Interesting Ports contains a list of TCP and UDP ports that are required, prohibited, or insecure in your deployment. The PCI DSS requires that network ports on servers in the PCI domain be tracked. Solutions administrators should set a policy defining the allowed and disallowed ports. It doesnt contain a list of dropped/blocked connections to be used within a data model.
I appreciate the help on this. I know it doesn't have a list of the dropped ports in the header. I was hoping to find a way use this lookup table in searching for blocked or dropped ones. How do I use this information from this table to do this?
why wouldnt you just
index=foo action=blocked OR action=dropped or something similar? You should have an index with your firewall data, another with your ids/ips data, maybe another with switch data, and another for cisco asa or palo alto etc... Those indexes will contain events that have what you're looking for, not the lookup tables.
So give me an example of an event in whatever index has "dropped / blocked" events, and I'll write a search for you that you can use in a data model or wherever.