Splunk Enterprise Security
Highlighted

How can I filter incoming traffic from outgoing traffic

Communicator

Hi

I am working on a DDoS alert. I want to detect spikes of incoming traffic.
But I am not sure on how to differentiate incoming from outgoing.

index=fortigate sourcetype=fgt_traffic host="FGT-200"
|search (dest_port=443 OR dest_port=80)
0 Karma
Highlighted

Re: How can I filter incoming traffic from outgoing traffic

Contributor

You could filter out the source IPs behind your firewall to get incoming traffic. The actual IPs to use will depend on your environment. Here is an example:

index=fortigate sourcetype=fgt_traffic host="FGT-200" (dest_port=443 OR dest_port=80) srcip!=203.0.113.0/24 srcip!=192.168.15.0/24
0 Karma