Splunk Search

Help with Outbound SMB traffic Rule SPL, please. Thank you!

GIA
Path Finder

Can someone please help me with this rule? I have been assigned to create a bunch of similar rules but I am struggling with a few, this is what I have so far...

========================================

Strategy Abstract

The strategy will function as follows:

  • Utilize tstats to summarize SMB traffic data.
  • Identify internal hosts scanning for open SMB ports outbound to external hosts.

Technical Context

This rule focuses on detecting abnormal outbound SMB traffic.

===============================================================================

SPL is generating 0 errors but also 0 matches. 

 

| tstats summariesonly=true allow_old_summaries=true values(All_Traffic.dest_ip) as dest_ip dc(All_Traffic.dest_ip) as unique_dest_ips values(All_Traffic.dest_port) as dest_port values(All_Traffic.action) as action values(sourcetype) as sourcetype
    from datamodel=Network_Traffic.All_Traffic
    where (All_Traffic.src_ip [inputlookup internal_ranges.csv | table src_ip] OR NOT All_Traffic.dest_ip [ inputlookup internal_ranges.csv | table dest_ip]) AND All_Traffic.dest_port=445
    by _time All_Traffic.src_ip span=5m 
| `drop_dm_object_name(All_Traffic)` 
| where unique_dest_ips>=50
| search NOT [ | inputlookup scanners.csv | table ip | rename ip as src_ip]
| search NOT src_ip = "x.x.x.x"
| head 51

 

 

GIA_1-1704996513558.png

 

Labels (3)
Tags (1)
0 Karma
1 Solution

dtburrows3
Builder

You may want to walk back the SPL and see on which line results are getting dropped off. 
Is it the initial tstats callout? Just by looking at it the where clause in the tstats looks a bit strange, but hard to say without seeing what the contents of the internal_ranges.csv lookup are.

Does a query like this pull back any results?

| tstats summariesonly=true allow_old_summaries=true 
    values(All_Traffic.dest_ip) as dest_ip,
    dc(All_Traffic.dest_ip) as unique_dest_ips,
    values(All_Traffic.dest_port) as dest_port,
    values(All_Traffic.action) as action,
    values(sourcetype) as sourcetype
        from datamodel=Network_Traffic.All_Traffic
        where All_Traffic.src_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND All_Traffic.dest_port=445
            by _time All_Traffic.src_ip span=5m
    | rename
        All_Traffic.* as *

 Just switched up the tstats where filter a bit to src_ip is internal IP and dest_ip is external_ip which I think is what you described in the original post.

View solution in original post

GIA
Path Finder

thank you. It worked. 

0 Karma

dtburrows3
Builder

You may want to walk back the SPL and see on which line results are getting dropped off. 
Is it the initial tstats callout? Just by looking at it the where clause in the tstats looks a bit strange, but hard to say without seeing what the contents of the internal_ranges.csv lookup are.

Does a query like this pull back any results?

| tstats summariesonly=true allow_old_summaries=true 
    values(All_Traffic.dest_ip) as dest_ip,
    dc(All_Traffic.dest_ip) as unique_dest_ips,
    values(All_Traffic.dest_port) as dest_port,
    values(All_Traffic.action) as action,
    values(sourcetype) as sourcetype
        from datamodel=Network_Traffic.All_Traffic
        where All_Traffic.src_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND All_Traffic.dest_port=445
            by _time All_Traffic.src_ip span=5m
    | rename
        All_Traffic.* as *

 Just switched up the tstats where filter a bit to src_ip is internal IP and dest_ip is external_ip which I think is what you described in the original post.

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...