Getting Data In

Firewall Services Search

gharpe2
Explorer

Need a search to list the top 25 non-http and non-https services people are connecting to through my ASA. Does anyone have a search for that? I would like to list the port, protocol and number of times connections were made.

Thanks,
glh

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

Hi, while I do not completely understand your post, I can give the following example of a search , assuming that you have the following fields extracted (either manually or automatically)

destination port :dst_port;
protocol: proto

<your_source/sourcetype> dst_port!="80" dst_port!="443" | stats count by dst_port proto | sort - count | head 25 

hope this helps,

Kristian

0 Karma

gharpe2
Explorer

Sample Events:

9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.223.7.21/2999 to 109.13.183.81/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

2 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106006: Deny inbound UDP from 62.192.232.25/54657 to 63.78.74.228/35731 on interface outside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

3 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.222.7.13/3954 to 109.21.83.57/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options
0 Karma

kristian_kolb
Ultra Champion

Hi,

Please provide a few samples events from your log.

And also, please delete your duplicate forum post "Firewall Traffic".

/kristian

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...