Installation

Mac address spoof search?

shandman
Path Finder

I've been trying to get this to work with my data but can't seem to get it to work. https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?ut...

here is the query i'm running.
index=windows sourcetype=dhcpsrvlog ... | stats dc(dhcp_mac) as macCount values(dhcp_mac) as mac by dhcp_hostname | search macCount>1

I run that for the past 30 days, during which time I have spoofed mac addresses with 0 results coming up with this search. Am I missing something?

Labels (2)
Tags (2)
0 Karma

shandman
Path Finder

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

Thanks again for the help guys.

0 Karma

shandman
Path Finder

Ah. I see. No the search is showing with dest_mac and dest_nt_host

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Then your query should be

index=windows sourcetype=dhcpsrvlog ... | stats dc(dest_mac) as macCount values(dest_mac) as mac by dest_nt_host| search macCount>1
0 Karma

shandman
Path Finder

Now there is a plethora of hosts showing up with slightly different mac addresses. 1340 results . Looks like maybe they have multiple network interfaces? How can I adjust the search to show when another host takes on the mac address of a host? Thus showing when a mac address has been spoofed? Thanks guys.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @shandman,

When you run this query index=windows sourcetype=dhcpsrvlog ... are you getting dhcp_mac and dhcp_hostname in interesting field on left hand side in splunk?

0 Karma

blacknight659
Explorer

Same question, But make sure you are in Smart or Verbose mode when you check this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...