Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on query to filter incoming traffic to a firewall

Berfomet96
Explorer
‎05-27-2022 10:34 AM

Hello.

Recently I've joined a new company that is using splunk as their siem and this past month I've being trying to learn a bit about the tool since I'm completely new to it. I was assigned as an exercise to work out a query to basically do this 2 things:

  • identify potential policies with all ports enabled
  • identify which of these policies are recieving petitions from public IP addresses

So far I've come up with this query:

 

 

index="sourcedb" sourcetype=fgt_traffic host="<external firewall ip>" action!=blocked 
| eventstats dc(dest_port) as ports by policyid 
| stats count by policyid ports 
| eval source_ip=if(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src),"private","public") 
| where source_ip="public"

 

 

 Basically, the main problem I'm having and can't seem to find a reasonable solution is that I've already managed to find out how to filter private IP addresses from the results but I feel like my eventstats sentence is not working properly, mainly because I'm counting all the distinct destination ports but not by the policyid.

I'd be really grateful if you guys could give me a hint or an advice about how I can aproach this case.

Thanks in advance

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-27-2022 12:48 PM

The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So

1) dc the ports with eventstats by policy - this part you have.

2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps

3) verify which policies receive traffic from non-local networks - again, this part you mostly have

4) list the policies with stats values(policyid) and you're home.

One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎05-27-2022 12:48 PM

The beginning is quite good but as @ITWhisperer already pointed out, when you aggregate with stats you lose the original event data. So

1) dc the ports with eventstats by policy - this part you have.

2) filter to only include the policies with many ports (using where condition on the dc(ports) field) - it will limit the number of events at next steps

3) verify which policies receive traffic from non-local networks - again, this part you mostly have

4) list the policies with stats values(policyid) and you're home.

One additional hint - completely unrelated to all those stats and whatnot - if you'r using accelerated datamodels, querying them instead of searching throughout raw data should be much faster. But that's a completely different story.

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2022 10:42 AM 
| stats count by policyid ports

This will leave you with events that only have three fields, count, policyid and ports. This means that src is not available for the if function. Perhaps move the eval and where commands before the stats command?

0 Karma
Reply
Solved! Jump to solution

Berfomet96
Explorer
‎05-27-2022 10:57 AM

Thanks for the reply, I tried that but if I put the stats* command at the end, then the column "source_ip" from the eval command won't show up in my statistics tab

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...