Archive

Tracking known malicious IP ranges

Explorer

We are blocking a list of different known malicious IP ranges on our checkpoint firewalls. We do receive the syslog info from checkpoint just fine. How can I search for all of the different ranges and put them into a dashboard?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

You can also search for cidr blocks in lookups. One approach would be to keep that list of known malicious IP ranges in a CSV lookup (Could be a database and pull it with DBX..)

Configure cidr based lookups.. In transforms, you need to configure the cidr field..

 [badipranges]
 filename = badipranges.csv
 max_matches = 1
 min_matches = 1
 default_match = OK
 match_type = CIDR(badiprange)

Note that CIDR(badiprange) tells Splunk which field is in CIDR notation.

You can then run your lookups against this list.

0 Karma

SplunkTrust
SplunkTrust

Is the block list known to Splunk, either in a CSV file or SQL database?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

It is not in a csv. I could find those ranges in a csv.

0 Karma