Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Mac address spoof search?

shandman
Path Finder
‎10-11-2017 12:08 AM

I've been trying to get this to work with my data but can't seem to get it to work. https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?ut...

here is the query i'm running.
index=windows sourcetype=dhcpsrvlog ... | stats dc(dhcp_mac) as macCount values(dhcp_mac) as mac by dhcp_hostname | search macCount>1

I run that for the past 30 days, during which time I have spoofed mac addresses with 0 results coming up with this search. Am I missing something?

Labels (1)
Labels
Tags (2)
0 Karma
Reply

shandman
Path Finder
‎10-11-2017 01:25 PM

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

Thanks again for the help guys.

0 Karma
Reply

shandman
Path Finder
‎10-11-2017 09:39 AM

Ah. I see. No the search is showing with dest_mac and dest_nt_host

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-11-2017 09:43 AM

Then your query should be 

index=windows sourcetype=dhcpsrvlog ... | stats dc(dest_mac) as macCount values(dest_mac) as mac by dest_nt_host| search macCount>1
0 Karma
Reply

shandman
Path Finder
‎10-11-2017 10:20 AM

Now there is a plethora of hosts showing up with slightly different mac addresses. 1340 results . Looks like maybe they have multiple network interfaces? How can I adjust the search to show when another host takes on the mac address of a host? Thus showing when a mac address has been spoofed? Thanks guys.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-11-2017 06:22 AM

Hi @shandman,

When you run this query index=windows sourcetype=dhcpsrvlog ... are you getting dhcp_mac and dhcp_hostname in interesting field on left hand side in splunk?

0 Karma
Reply

blacknight659
Explorer
‎10-11-2017 07:53 AM

Same question, But make sure you are in Smart or Verbose mode when you check this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...