Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combine multiple fields from IDS and Proxy into one single row

Akapowa
Loves-to-Learn
‎11-17-2020 07:23 AM

Dear Community,

 

I have the following situation:

Outbound= Client -> Proxy -> IDS -> Internet

Inbound (Return Traffic) = Internet -> IDS -> Proxy -> Client

 

I'm getting logs from both the Proxy and the IDS.

 

In essence, I would like to be able to correlate information from the Proxy and the IDS so I have correct IP information about the connection (Since the proxy changes the IP header, I lose visibility on the IDS and get a lot of false positives)

 

For Outbound, I would like to get the source IP from the Proxy and the destination from the IDS (Outbound = SrcPROXY - DstIDS) into one single row.

 

For Inbound, I would need to get the source from the IDS and the destination from the Proxy (Inbound = SrcIDS – DstPROXY) into one single row.

 

Ideally, I would like to create a transaction that displays the flow (outbound-inbound) into one single row for better visibility and incident response.

 https://ibb.co/fM6V5D2

 

Example of logs:

IDS log example

Nov 17 07:11:30 10.x.x.x 2020-11-17T12:11:56Z 01 %IDS-6-******, SrcIP: 192.168.10.10, DstIP: 208.x.x.x, SrcPort: 23116, DstPort: 443, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside,  Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 0, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2721, ResponderBytes: 4693, URL: https://**

    Destination_IDS = DstIP: 208.x.x.x

    host = 10.10.10.10

    source = splunk-ids

    sourcetype = ids_Syslog

 

Proxy Logs

 

11/17/20
8:16:01.000 AM

Nov 17 08:16:01 10.x.x.x Nov 17 13:16:29 proxy_hostname Splunk_S: Info: 1605618979.572 170133 CLIENT_IP_ADDRESS TCP_MISS/200 7462 CONNECT tunnel://safebrowsing.googleapis.com:443/ "(Unauthenticated)CLIENT_IP_ADDRESS" DIRECT/safebrowsing.googleapis.com - OTHER-NONE-PassiveAuth_or_NTLM-NONE-NONE-NONE-DefaultGroup-NONE

  • Source_proxy = "(Unauthenticated)10.x.x.x"
  • host = 10.x.x.x
  • source = splunk-proxy
  • sourcetype = tools:proxy:squid

I would highly appreciate any guidance, help, suggestion, comment.

Thanks!

Aka

2.12.0.0
2.12.0.0
Labels (1)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-17-2020 06:58 PM

Let's get started by me asking this question.  If you were to do this by hand, using those two records above, how would you do that? 

If CLIENT_IP_ADDRESS is actually that word, I don't see how they even connect.  You can't do it by hand, and Splunk can't really do it either - there's no magic involved.

If CLIENT_IP_ADDRESS is a stand in, and actually IS 192.168.10.10, then we have a chance.

You'll probably need a better regex than this (regex101 is your friend!) because I'm making it up anchoring on something in the middle that might or might not be a good anchor, and I'm too lazy to build a regex from the beginning because I'm not actually sure that's a 100% accurate sample event.  But here it is.

(search that returns the first set of events) OR (search that returns the second set of events)
| rex "Info: \d+\.\d+\s+\d+\s+(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval client_ip = SrcIP
| stats list(DstIP) as Destination_IP_addresses BY client_ip

There's two searches in the first line, connected together with an OR - you have to pile all the data into one place, then let Splunk sift through it and connect things together as required.

The second line uses a regular expression to pull a new field called "client_ip" from what *might* be the IP address in there.  This will need fiddling with possibly, as mentioned above.

The third relies on the fact that there is no "client_ip" in existence in any event with a field named SrcIP (an assumption, but seems legit given what I can see?), so you just create a new client_ip from SrcIP. 

Between line 2 and line 3, we've now let both "sides" have a client_ip that matches each other, so we can group on them in a variety of ways.

Line 4 uses stats, which probably should be called "group" in this case because really that's what we're doing, to list all the DstIP addresses by client_ip.

For that last line, you can use values(), list(), or any other stats calculation, on any number of fields all at once.  Like "values(DstIP), sum(initiatorBytes), list(Protocol)..."

Look up "splunk stats site:docs.splunk.com" and it should totally give you all sorts of good advice.

The same mechanisms can be used to include other fields in the output, or to join things up in slightly different ways.  Hopefully this gets you your answer, but even if not I hope it does get you started on fine tuning your question for us, we're happy to take another pass at it!

Happy Splunking,

Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...