I would like to create a search that would identify hosts that have triggered a snort alert, e.g.
stream5: TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2]:
who also have a connection in the NAT table, captured through netstat. Would this be two separate searches?
Technically two searches, with one as a subsearch:
primary search [subsearch]
subsearch = host that has triggered a snort alert (the hostname is returned for use in the primary search)
primary search = search for connection in the NAT table for host returned by subsearch
Here is another good example and shows how to return just the hostname or host IP to your outer search:
Actually, you don't need to assign anything in the subsearch to a field to use it. The outer search will replace the bracketed portion with the results of the subsearch. Take a look at this for some examples: http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch
So this is the search I put in:
sourcetype="pftop" threat_IP [search sourcetype="snort" signature | eval threat_IP=if(src_ip=="myaddress",dest_ip,src_ip)]
but I get nil returns.