Installation

Mac address spoof search?

shandman
Path Finder

I've been trying to get this to work with my data but can't seem to get it to work. https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?ut...

here is the query i'm running.
index=windows sourcetype=dhcpsrvlog ... | stats dc(dhcp_mac) as macCount values(dhcp_mac) as mac by dhcp_hostname | search macCount>1

I run that for the past 30 days, during which time I have spoofed mac addresses with 0 results coming up with this search. Am I missing something?

Labels (2)
Tags (2)
0 Karma

shandman
Path Finder

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

Thanks again for the help guys.

0 Karma

shandman
Path Finder

Ah. I see. No the search is showing with dest_mac and dest_nt_host

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Then your query should be

index=windows sourcetype=dhcpsrvlog ... | stats dc(dest_mac) as macCount values(dest_mac) as mac by dest_nt_host| search macCount>1
0 Karma

shandman
Path Finder

Now there is a plethora of hosts showing up with slightly different mac addresses. 1340 results . Looks like maybe they have multiple network interfaces? How can I adjust the search to show when another host takes on the mac address of a host? Thus showing when a mac address has been spoofed? Thanks guys.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @shandman,

When you run this query index=windows sourcetype=dhcpsrvlog ... are you getting dhcp_mac and dhcp_hostname in interesting field on left hand side in splunk?

0 Karma

blacknight659
Explorer

Same question, But make sure you are in Smart or Verbose mode when you check this.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...