Getting Data In

Detecting Port Knocking

drico618
New Member

I'm looking for specific conditions where 2 or more ports (as seen by firewall) have allowed events (action=allowed) and then a third port, typically with a service such as port 22 is the final request. This far, I am working with:

index=firewall_index
| bin _time span=5m
| stats count, values(dest_zone) as dest_zone, values(dest_port) as dest_port,
values(user) as User by _time src_zone src_ip dest_ip
| where (src_zone != dest_zone)
| bin _time as Day span=1d
| eventstats values(dest_port) as all_dest_ports by Day src_ip dest_ip
| where (mvcount(dest_port) >= 5) OR (mvcount(all_dest_ports) >= 25)

which was borrowed for a port scan search.

0 Karma

whrg
Motivator

@drico618 "such as port 22" as in only port 22 or any port?

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...