Splunk Dev

Search to display port scan attempts

bend_bi
Engager

I'm having a hard time developing the query to display this, but in short, I want to write a query that will display all ports that an attacking IP has scanned on a victim IP. In short, my data structure looks like this:

src_ip                          dest_ip         dest_port
1.1.1.1 attempted to connect to 2.2.2.2 on port 3389
1.1.1.1 attempted to connect to 2.2.2.2 on port 3306
1.1.1.1 attempted to connect to 2.2.2.2 on port 22
1.1.1.1 attempted to connect to 3.3.3.3 on port 22
1.1.1.1 attempted to connect to 4.4.4.4 on port 3389
1.2.1.1 attempted to connect to 2.2.2.2 on port 22

Where src_ip, dest_ip, and dest_port are already indexed fields from my firewall logs. I'm wanting to create a query that has output that looks like this:

1.1.1.1       2.2.2.2      22
                        3389
                        3306
1.1.1.1    3.3.3.3      22
1.1.1.1       4.4.4.4      3389
1.2.1.1    2.2.2.2      22

I think a stats values() is involved, but from what I've played around with, I can't get the output to display in the format that I need.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

try this

Your query that pulls the attempts
| stats  list(dest_port) as dest_port by src_ip dest_ip         

or

| stats  values(dest_port) as dest_port by src_ip dest_ip         

values() will sort and dedup, list() will give them in the order they appear in the data (most recent first).

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

try this

Your query that pulls the attempts
| stats  list(dest_port) as dest_port by src_ip dest_ip         

or

| stats  values(dest_port) as dest_port by src_ip dest_ip         

values() will sort and dedup, list() will give them in the order they appear in the data (most recent first).

zeeshantayyab
Loves-to-Learn

Hi,

Why this query is not working in my environment.

0 Karma

bend_bi
Engager

Works perfectly, thanks!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...