Deployment Architecture

Verify snort alert with netstat results

danlynch
New Member

I would like to create a search that would identify hosts that have triggered a snort alert, e.g.

stream5: TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2]: 

who also have a connection in the NAT table, captured through netstat. Would this be two separate searches?

Thanks

Tags (2)
0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Technically two searches, with one as a subsearch:

primary search [subsearch]

subsearch = host that has triggered a snort alert (the hostname is returned for use in the primary search)
primary search = search for connection in the NAT table for host returned by subsearch

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Here is another good example and shows how to return just the hostname or host IP to your outer search:

http://splunk-base.splunk.com/answers/1212/can-a-subsearch-return-only-the-value-without-the-fieldna...

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Actually, you don't need to assign anything in the subsearch to a field to use it. The outer search will replace the bracketed portion with the results of the subsearch. Take a look at this for some examples: http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch

0 Karma

danlynch
New Member

So this is the search I put in:

sourcetype="pftop" threat_IP [search sourcetype="snort" signature | eval threat_IP=if(src_ip=="myaddress",dest_ip,src_ip)]

but I get nil returns.

0 Karma