Ive been spending a long time trying to get 1 correlation search working. The search is to find non standard hostnames that have been assigned a dhcp address, this would cover a scenario where a rogue laptop is plugged into the network.
The search I am using is:
description=assign | search dest!=Prefix1* | search dest!=Prefix2* | search dest!=Prefix3* | search dest!=Prefix4* | dest_ip!=10.50.x.1/20 dest_ip!=10.51.x.1/21 dest_ip!=10.49.x.1/27 | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac
Prefix1*, Prefix2* etc are known hostnames that follow a naming convention.
Some VOIP phone devices that use dhcp have a hostname that is the same as their mac address which is why there is 'where dest!=dest_mac
In the notable search itself I have:
Notable event title:
Suspicious Host Discovered - $dest$ at $time$ on $date$
Notable event description:
The system $dest$ has been assigned an IP Address
Start time is: -3d (so I get some initial result, this will change to -5 when proven working)
End time is: now
cron: set to run every 5 mins
The goal is to search the last 5 mins of dhcp logs every 5 mins using the search above so that an unknown host that uses dhcp can quickly be discovered.
However in the Incident Review dashboard the title is displayed as:
Suspicious Host Discovered - unknown at unknown on unknown
It doesnt appear to read the field results correctly.
I've run this search manually in a standard search and I have 3-4 results when searching over the last 3 days.
Also, what happens if the correlation search finds multiple hostnames that fit the criterea of the search, does it create seperate notable events?
Thanks
Perhaps the reason it is not working is because you left out the last 2 | search
strings but you should not split your base search logic that way anyway; it wastes CPU and memory; try this:
description=assign dest!=Prefix1* dest!=Prefix2* dest!=Prefix3* dest!=Prefix4* dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac
Have spent a lot of time on this today and still getting no where, frustrating!
Using standard splunk search I can use:
description=assign | where NOT cidrmatch("10.50.96.1/20",dest_ip) | where NOT cidrmatch("10.50.80.1/21",dest_ip) | where NOT cidrmatch("10.49.16.1/27",dest_ip) | rex mode=sed field=dest
"s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac
I get the desired results where I see hostnames with prefix's not specified in the search. Maybe 4 or 5 hostnames (dest field).
Ive turned the same syntax into a correlation search (check parsing using guided mode too - but leave the search as manual) and create a notable event, with the title
"Suspicious Host Discovered - $dest$ at $time$ on $date$"
I instead see:
"Suspicious Host Discovered - unknown at unknown on unknown"
There are also multiple events created (10s or 100s). If a normal search has 4 results, why does the incident dashboard not show 4 notable events from the correlation search which uses the same syntax? Doesnt seem very intuitive.
Tomorrows another day.
Have used this for CIDR, is now working:
where NOT cidrmatch("10.49.16.1/27",dest_ip)
1 more question -
search results are being matched by case..
By using
NOT like(dest, "PREFIX1%")
I will still have results that are "Prefix1" or "prefix1" - how can I make the search case insensitive?
sourcetype=DhcpSrvLog description=assign | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND NOT like(dest_ip, "10.50.96.1/20") AND NOT like(dest_ip, "10.51.80.1/21") AND NOT like(dest_ip, "10.49.16.1/27") AND dest!=dest_mac
Running this search now. The Prefix filtering is working, however the NOT like(dest_ip, "10.51.80.1./21) IP range filtering is not working. The results include those IP ranges
You cannot specify IP ranges/subnets like that; you need to specify it more literally using SQL like
syntax.
The second command is having some results, although the dest_ip! filtering is not working, am working on that..
Just convert that part to NOT LIKE
, too.
Thanks Woodcock,
I did try that syntax initially, however it does not parse correctly (used guided mode to confirm).
Splunk ES does not like the wildcard * I believe.
Then do this:
description=assign dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | regex dest!="^(?:Prefix1|Prefix2|Prefix3|Prefix4)*" | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac
And if it still won't take the wildcard, try this:
description=assign dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac