Getting Data In

Firewall Services Search

gharpe2
Explorer

Need a search to list the top 25 non-http and non-https services people are connecting to through my ASA. Does anyone have a search for that? I would like to list the port, protocol and number of times connections were made.

Thanks,
glh

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

Hi, while I do not completely understand your post, I can give the following example of a search , assuming that you have the following fields extracted (either manually or automatically)

destination port :dst_port;
protocol: proto

<your_source/sourcetype> dst_port!="80" dst_port!="443" | stats count by dst_port proto | sort - count | head 25 

hope this helps,

Kristian

0 Karma

gharpe2
Explorer

Sample Events:

9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.223.7.21/2999 to 109.13.183.81/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

2 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106006: Deny inbound UDP from 62.192.232.25/54657 to 63.78.74.228/35731 on interface outside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

3 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.222.7.13/3954 to 109.21.83.57/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options
0 Karma

kristian_kolb
Ultra Champion

Hi,

Please provide a few samples events from your log.

And also, please delete your duplicate forum post "Firewall Traffic".

/kristian

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...