Splunk Search

Comparing fields in searches to find common values

Communicator

Hello All,
I have some data here with which i need to find out which is the most vulnerable ip address from the dummy firewall log.
Fragmentation attack 1.1.1.1
2.2.2.2
3.3.3.3
bruteforce 1.1.1.1
4.4.4.4
5.5.5.5
some tcp attack 1.1.1.1
6.6.6.6
7.7.7.7

So from the above data 1.1.1.1 is common for all the attacks on my network and i need a search query to list out the common ip's
I hope i have made myself clear.
My base search to get the results are

index="netgear" | stats values(srcip) as srcip values(destip) as destip by message
0 Karma

SplunkTrust
SplunkTrust

Hi @ranjitbrhm1,

This is a great way to find compromised IP's. Your search should be like that if you want to find all attack messages for your source IP :

 index="netgear" | stats values(message) as message by srcip

You can even filter out whichever has more than 2 attack vectors:

  index="netgear" | stats dc(message) as condition, values(message) as message  by srcip |where condition>2

An you can also add the list of destinations :

 index="netgear" | stats dc(message) as condition, values(message) as message, values(destip) as destip by srcip

Let me know if this helps.

Cheers,
David

0 Karma

Champion

I suspect you are are presenting a snippet of your requirements, however try this and see if this takes you any near to your solution.

| makeresults 
|  eval evnt="Fragmentation attack 1.1.1.1
2.2.2.2
3.3.3.3
bruteforce 1.1.1.1
4.4.4.4
5.5.5.5
some tcp attack 1.1.1.1
6.6.6.6
7.7.7.7" 
|  rex field=evnt "(?<text>\d+\.\d+\.\d+\.\d)" max_match=0
| mvexpand text 
| stats count by text 

so, here the count for 1.1.1.1 is the highest and you can just filter by the count for the ip having the maximum occurrence

0 Karma

Communicator

Thank you for the answer, let me try to explain my entire requirement so its more clear. I get a log from the firewall. Inside the firewall log there are some destination ip's under attack by fragmentation attack, some destination ip under attack by brute force and some destination ip under attack by some other attack. so i want to find out if any destination ip is under attack by multiple methods. Like in this above senario, 1.1.1.1 is under attack by all three type of attacks. So basically i need to find the most vulnerable ip address in the network. Hope i made myself clear.
Thanks

0 Karma

Champion

you need to provide a better snapshot of your logs.
What is the difference between the output of the above query and what you want?

0 Karma