Knowledge Management

How can I use the Network_Traffic datamodel to find what has NOT egressed/logged for a firewall ACL/rule?

kimsey4701
Engager

Good afternoon,

Background: I found a configuration issue in one of our firewalls which I'm trying to remediate where an admin created a very broad access rule that has permitted traffic over a wide array of TCP/UDP ports. I started working to identify valid traffic which has used the rule, but a co-worker mentioned an easy win would be creating an ACL to block any ports which had not already been allowed through this very promiscuous rule.

My problem is I know how to use the data model to identify TCP/UDP traffic which has been logged egressing through the rule, but how could I modify the search provided below so that I can get a result that displays which ports have NOT been logged? (Also bonus points if you can help me view numbers returned as ranges rather than individual numbers aka "5000-42000")

Here is my current search:

 

| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic" AND fw_rule="horrible_rule"
BY All_Traffic.dest_port
| rename All_Traffic.* AS *

 

Thank you in advance for any help that you may be able to provide!

Labels (1)
0 Karma
1 Solution

chris_barrett
SplunkTrust
SplunkTrust

In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy.


My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.

View solution in original post

0 Karma

chris_barrett
SplunkTrust
SplunkTrust

In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy.


My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.

0 Karma

kimsey4701
Engager

Chris,

That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me easily know what had not used the open rule so I can immediately put a rule in front of it to block any ports that haven't traversed it.

I'll just close out my question and do things the slow way with exports to Excel.

Thanks,

Kimsey

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...