Solved: Re: Help with Outbound SMB traffic Rule SPL, ple...

GIA · ‎01-11-2024

Can someone please help me with this rule? I have been assigned to create a bunch of similar rules but I am struggling with a few, this is what I have so far...

========================================

Strategy Abstract

The strategy will function as follows:

Utilize tstats to summarize SMB traffic data.
Identify internal hosts scanning for open SMB ports outbound to external hosts.

Technical Context

This rule focuses on detecting abnormal outbound SMB traffic.

===============================================================================

SPL is generating 0 errors but also 0 matches.

| tstats summariesonly=true allow_old_summaries=true values(All_Traffic.dest_ip) as dest_ip dc(All_Traffic.dest_ip) as unique_dest_ips values(All_Traffic.dest_port) as dest_port values(All_Traffic.action) as action values(sourcetype) as sourcetype
    from datamodel=Network_Traffic.All_Traffic
    where (All_Traffic.src_ip [inputlookup internal_ranges.csv | table src_ip] OR NOT All_Traffic.dest_ip [ inputlookup internal_ranges.csv | table dest_ip]) AND All_Traffic.dest_port=445
    by _time All_Traffic.src_ip span=5m
| `drop_dm_object_name(All_Traffic)`
| where unique_dest_ips>=50
| search NOT [ | inputlookup scanners.csv | table ip | rename ip as src_ip]
| search NOT src_ip = "x.x.x.x"
| head 51

dtburrows3 · ‎01-11-2024

You may want to walk back the SPL and see on which line results are getting dropped off.
Is it the initial tstats callout? Just by looking at it the where clause in the tstats looks a bit strange, but hard to say without seeing what the contents of the internal_ranges.csv lookup are.

Does a query like this pull back any results?

| tstats summariesonly=true allow_old_summaries=true 
    values(All_Traffic.dest_ip) as dest_ip,
    dc(All_Traffic.dest_ip) as unique_dest_ips,
    values(All_Traffic.dest_port) as dest_port,
    values(All_Traffic.action) as action,
    values(sourcetype) as sourcetype
        from datamodel=Network_Traffic.All_Traffic
        where All_Traffic.src_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND All_Traffic.dest_port=445
            by _time All_Traffic.src_ip span=5m
    | rename
        All_Traffic.* as *

Just switched up the tstats where filter a bit to src_ip is internal IP and dest_ip is external_ip which I think is what you described in the original post.

View solution in original post

GIA · ‎01-12-2024

thank you. It worked.

dtburrows3 · ‎01-11-2024

You may want to walk back the SPL and see on which line results are getting dropped off.
Is it the initial tstats callout? Just by looking at it the where clause in the tstats looks a bit strange, but hard to say without seeing what the contents of the internal_ranges.csv lookup are.

Does a query like this pull back any results?

| tstats summariesonly=true allow_old_summaries=true 
    values(All_Traffic.dest_ip) as dest_ip,
    dc(All_Traffic.dest_ip) as unique_dest_ips,
    values(All_Traffic.dest_port) as dest_port,
    values(All_Traffic.action) as action,
    values(sourcetype) as sourcetype
        from datamodel=Network_Traffic.All_Traffic
        where All_Traffic.src_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12") AND All_Traffic.dest_port=445
            by _time All_Traffic.src_ip span=5m
    | rename
        All_Traffic.* as *

Just switched up the tstats where filter a bit to src_ip is internal IP and dest_ip is external_ip which I think is what you described in the original post.

Help with Outbound SMB traffic Rule SPL, please. Thank you!

eval

stats

tstats

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Community Content Calendar, September edition

Are you a member of the Splunk Community?