Getting Data In

Snort log time calculation for RDP connect / disconnect - Parsing

Xe03kfp
Path Finder

I am looking for a way to do two searches on two fields and of the two searches, only take 1 of the fields to do a calculation. The calculation will be the total time of a RDP connection to a workstation. I have Snort setup to give me an alert for a connection and disconnection and Splunk displaying the results in the correct format "alert_fast_full"

Sample of the log: Full log located HERE
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:1111111:0] Snort Alert [1:1111111:0] [*]
[Classification: RDC Connection Established] [Priority: 10]
Event ID: 30 Event Reference: 30
01/25/13-16:00:04.843359 10.7.0.39:3763 -> 192.168.254.97:3309
TCP TTL:127 TOS:0x0 ID:6857 IpLen:20 DgmLen:87 DF
*
*AP
* Seq: 0xE84B548E Ack: 0xC5D81F3E Win: 0x100 TcpLen: 20
03 00 00 2F 2A E0 00 00 00 00 00 43 6F 6F 6B 69 .../......Cooki
65 3A 20 6D 73 74 73 68 61 73 68 3D 41 64 6D 69 e: mstshash=Admi
6E 69 73 74 72 0D 0A 01 00 08 00 0B 00 00 00 nistr..........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] [1:2222222:0] Snort Alert [1:2222222:0] [**]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 29 Event Reference: 29
01/25/13-16:00:04.106860 192.168.254.97:3309 -> 10.7.0.39:3762
TCP TTL:127 TOS:0x0 ID:29375 IpLen:20 DgmLen:40 DF
*
A*R* Seq: 0x673B29EE Ack: 0x97AD3E87 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:2222222:0] Snort Alert [1:2222222:0] [*]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 28 Event Reference: 28
01/25/13-15:59:58.521247 192.168.254.97:3308 -> 10.7.0.39:3761
TCP TTL:127 TOS:0x0 ID:12121 IpLen:20 DgmLen:40 DF
*
*A*R
Seq: 0x8249C886 Ack: 0x1D15B360 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:2222222:0] Snort Alert [1:2222222:0] [*]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 27 Event Reference: 27
01/25/13-15:59:52.824224 192.168.254.97:3303 -> 10.7.0.39:3747
TCP TTL:127 TOS:0x0 ID:17495 IpLen:20 DgmLen:40 DF
*
*A*R
Seq: 0x6DEB62CE Ack: 0x8CE5A9FC Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[] [1:1111111:0] Snort Alert [1:1111111:0] [*]
[Classification: RDC Connection Established] [Priority: 10]
Event ID: 26 Event Reference: 26
01/25/13-15:59:51.960445 10.7.0.39:3760 -> 192.168.254.97:3303
TCP TTL:127 TOS:0x0 ID:5899 IpLen:20 DgmLen:87 DF
*
*AP
* Seq: 0x2EE48349 Ack: 0x33E7ADDF Win: 0x100 TcpLen: 20
03 00 00 2F 2A E0 00 00 00 00 00 43 6F 6F 6B 69 .../......Cooki
65 3A 20 6D 73 74 73 68 61 73 68 3D 41 64 6D 69 e: mstshash=Admi
6E 69 73 74 72 0D 0A 01 00 08 00 0B 00 00 00 nistr..........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] [1:2222222:0] Snort Alert [1:2222222:0] [**]
[Classification: RDC Disconnect] [Priority: 10]
Event ID: 25 Event Reference: 25
01/25/13-15:59:51.953843 192.168.254.97:3303 -> 10.7.0.39:3759
TCP TTL:127 TOS:0x0 ID:17272 IpLen:20 DgmLen:40 DF
*
A*R* Seq: 0xC32E573F Ack: 0xF58DAC60 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

My search pattern:

Signature=2222222 dest_port="*" | fields - signature
-This gives me ONLY dest_port (What I want)
&

Signature=1111111 src_port="*" | fields - signature
-Ditto src_port (Also what I want)

The unique field I need is the src_port and dest_port due to it being an ephemeral port that is unique & same to the connection opening and closing.

I then want to do a calculation of the search above and subtract the dest_port time from src_port time to give me the overall connection time.

3301-3310 Calculate time based on search above

Total time = XXX hours minutes seconds for 1week 1month 5 days

I apologize if this is easy but I am still reading through the 5.5MB PDF Splunk documentation to give me a fuller scope of how to use Splunk to its greatest capability. 🙂

Tags (5)
0 Karma

Ayn
Legend

Have you looked at the transaction command?

Signature=2222222 OR Signature=1111111 | transaction src_ip src_port dest_ip dest_port

transaction will create two fields, eventcount and duration, which pretty much contain what you'd expect them to. 🙂

You could also use stats to do something similar.

Signature=2222222 OR Signature=1111111 | stats range(_time) as duration by src_ip,src_port,dest_ip,dest_port
0 Karma

Xe03kfp
Path Finder

192.168.254.14 and 192.168.254.97 = Servers(Host)

0 Karma

Xe03kfp
Path Finder

Number 3 - Second search string does not calculate time due to the above problem and also I am getting the source IP mixed up in the results. Depicted-Here

0 Karma

Xe03kfp
Path Finder

Sorry.. I'm not sure why it posted like that.. 😞

0 Karma

Xe03kfp
Path Finder

Almost! 🙂

1 - I just found out Splunk is case sensitive Sig->sig

2 - The first search string does not focus on the uniq fields I need to arrive at my answer. Depicted-Here

--I need the src_port of the 1111111 to be calculated by 222222222 dest_port Because the ephemeral port (randomized local port) is the uniq value. Both Snort signatures contain a 33xx port depending on what direction the packets are going.

0 Karma

Xe03kfp
Path Finder

I'd like to get a Report based on the calculation that can be submitted (exported or copy/pasted) and
possibly derive a report for top src_ip(s), which I think SplunkForSnort gives as a built in search.

I hope this clarifies my need a lil bit 🙂

And sorry for the multiple replies...I am only allotted so many characters.

0 Karma

Xe03kfp
Path Finder

Of the two searches: ("based on criteria") --Somehow "join" the two search results to show ONLY the src_port and dest_port
-The answer to the two searches are the MOST "uniq" to derive the calculation
I need.

"End Result" -- Yes
-Session times per connection between src_port and dest_port from a src_ip

FYI if someone is curious: *3301 - 3310 are the ports I have masqueraded to forward to 3389 of a certain workstation.

0 Karma

Xe03kfp
Path Finder

Response:

*So I do not have to specify the index or source I have specifically configured SplunkforSnort to look at one index.

Searches:

1 Signature 1111111 src_port="*" | fields - signature

      -This will only highlight the src_port(s)

2 Signature 2222222 dest_port="*" | fields - signature

    -This will only highlight the dest_port(s)
0 Karma

DaveSavage
Builder

Well points to you for diving in with Splunk AND Snort all in 1 go plus the comprehensive data provided! 😉
Just clarify please...2 searches, 2 fields (understood) of which you want only 1 of those - based on what criteria?
End result is that you wish to see session times per connection between source and destination?

0 Karma

Xe03kfp
Path Finder

ALSO! 🙂 Just FYI I am using "Splunk for Snort" with Maxmind and Sideview Utils.

And Splunk pulls the logs from a network drive; the central location for all Snorts to save their logs, instead of locally.

0 Karma

Xe03kfp
Path Finder

Also linked is a screen cap of what I see for fields.

CLICK HERE

And, the log I linked is an export from Splunk and not Snort. Splunk is displaying the Snort data inputs correctly from 2 snort IDS's

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...