Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use the Network_Traffic datamodel to find what has NOT egressed/logged for a firewall ACL/rule?

kimsey4701
Engager
‎10-03-2023 12:56 PM

Good afternoon,

Background: I found a configuration issue in one of our firewalls which I'm trying to remediate where an admin created a very broad access rule that has permitted traffic over a wide array of TCP/UDP ports. I started working to identify valid traffic which has used the rule, but a co-worker mentioned an easy win would be creating an ACL to block any ports which had not already been allowed through this very promiscuous rule.

My problem is I know how to use the data model to identify TCP/UDP traffic which has been logged egressing through the rule, but how could I modify the search provided below so that I can get a result that displays which ports have NOT been logged? (Also bonus points if you can help me view numbers returned as ranges rather than individual numbers aka "5000-42000")

Here is my current search:

 

| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic" AND fw_rule="horrible_rule"
BY All_Traffic.dest_port
| rename All_Traffic.* AS *

 

Thank you in advance for any help that you may be able to provide!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris_barrett
SplunkTrust
SplunkTrust
‎10-04-2023 04:43 AM

In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy.


My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chris_barrett
SplunkTrust
SplunkTrust
‎10-04-2023 04:43 AM

In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy.


My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.

0 Karma
Reply
Solved! Jump to solution

kimsey4701
Engager
‎10-04-2023 05:24 AM

Chris,

That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me easily know what had not used the open rule so I can immediately put a rule in front of it to block any ports that haven't traversed it.

I'll just close out my question and do things the slow way with exports to Excel.

Thanks,

Kimsey

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...