Splunk Search

How can i filter out source IP addresses, based on results from previous search (syslog in splunk)

MrSuperSeven
New Member

HI, I have a customer using splunk for just syslog. 

There has recently been a ddos attack, we are looking to report on how much traffic came from the known ddos hosts.

In the syslog the router has flagged the known IP's as >

msg="torproject.org:Anonymizers, SSI:N" note="ACCESS BLOCK"

We can search for this fine, however there is a preceding entry for the sending IP address that is in the syslog where the router has forwarded this from firewall to its ip address check phase. 

We are looking to get total rows of all traffic from ddos hosts

So we search for "torproject" we then want to search again for all ip's that appeared in that first search. Then extract from that search every "src="103.76.173.203:7627" then search for all those

Any ideas please?

End goal = how much traffic was from ddos hosts and how much wasnt (as a rough %)

Thanks in advance

Labels (1)
0 Karma

MrSuperSeven
New Member

Thanks for reponse. Ill get into tomorrow.

More info. Its all the one source in splunk (1 x syslog spanning 30 days)

My search = "ACCESS BLOCK"

My results are many rows of =

XXXXXXXXXXX
XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.81:18837" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter"
host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel
XXXXXXXXXXX
XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.87:6139" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter"
host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel

I then want to seach again but remove every line that has src="45.148.10.81:18837" OR src="45.148.10.87:6139" OR (the next) OR (the next) OR (and so on for 3000+ IP addresses)

Thus giving me a data set of "known good traffic"

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming note and src are already extracted, then try something like this

| eventstats values(eval(if(note="ACCESS BLOCK","BLOCKED",null()))) as blocked by src
| where isnull(blocked)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

There can be probably more than one way of doing that. Depending on your actual data (both what it looks like and it's volume characteristics) different ways may be the proper approach in terms of performance.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Without much detail about your events, it is a little difficult to give detailed answers, so, in general terms, you could search both sources at the same time, then use eventstats to tag the events from the second part of the search with the note from the first part of the search using the ip address to correlate the events. Then you can count the event from the second part of the search which have the note and those that don't

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...