Hello All,
I have some data here with which i need to find out which is the most vulnerable ip address from the dummy firewall log.
Fragmentation attack 1.1.1.1
2.2.2.2
3.3.3.3
bruteforce 1.1.1.1
4.4.4.4
5.5.5.5
some tcp attack 1.1.1.1
6.6.6.6
7.7.7.7
So from the above data 1.1.1.1 is common for all the attacks on my network and i need a search query to list out the common ip's
I hope i have made myself clear.
My base search to get the results are
index="netgear" | stats values(srcip) as srcip values(destip) as destip by message
Hi @ranjitbrhm1,
This is a great way to find compromised IP's. Your search should be like that if you want to find all attack messages for your source IP :
index="netgear" | stats values(message) as message by srcip
You can even filter out whichever has more than 2 attack vectors:
index="netgear" | stats dc(message) as condition, values(message) as message by srcip |where condition>2
An you can also add the list of destinations :
index="netgear" | stats dc(message) as condition, values(message) as message, values(destip) as destip by srcip
Let me know if this helps.
Cheers,
David
I suspect you are are presenting a snippet of your requirements, however try this and see if this takes you any near to your solution.
| makeresults
| eval evnt="Fragmentation attack 1.1.1.1
2.2.2.2
3.3.3.3
bruteforce 1.1.1.1
4.4.4.4
5.5.5.5
some tcp attack 1.1.1.1
6.6.6.6
7.7.7.7"
| rex field=evnt "(?<text>\d+\.\d+\.\d+\.\d)" max_match=0
| mvexpand text
| stats count by text
so, here the count for 1.1.1.1 is the highest and you can just filter by the count for the ip having the maximum occurrence
Thank you for the answer, let me try to explain my entire requirement so its more clear. I get a log from the firewall. Inside the firewall log there are some destination ip's under attack by fragmentation attack, some destination ip under attack by brute force and some destination ip under attack by some other attack. so i want to find out if any destination ip is under attack by multiple methods. Like in this above senario, 1.1.1.1 is under attack by all three type of attacks. So basically i need to find the most vulnerable ip address in the network. Hope i made myself clear.
Thanks
you need to provide a better snapshot of your logs.
What is the difference between the output of the above query and what you want?