Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can i filter out source IP addresses, based on results from previous search (syslog in splunk)

MrSuperSeven
New Member
‎08-26-2024 02:08 AM

HI, I have a customer using splunk for just syslog. 

There has recently been a ddos attack, we are looking to report on how much traffic came from the known ddos hosts.

In the syslog the router has flagged the known IP's as >

msg="torproject.org:Anonymizers, SSI:N" note="ACCESS BLOCK"

We can search for this fine, however there is a preceding entry for the sending IP address that is in the syslog where the router has forwarded this from firewall to its ip address check phase. 

We are looking to get total rows of all traffic from ddos hosts

So we search for "torproject" we then want to search again for all ip's that appeared in that first search. Then extract from that search every "src="103.76.173.203:7627" then search for all those

Any ideas please?

End goal = how much traffic was from ddos hosts and how much wasnt (as a rough %)

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

MrSuperSeven
New Member
‎08-26-2024 12:17 PM

Thanks for reponse. Ill get into tomorrow.

More info. Its all the one source in splunk (1 x syslog spanning 30 days)

My search = "ACCESS BLOCK"

My results are many rows of =

XXXXXXXXXXX
XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.81:18837" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter"
host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel
XXXXXXXXXXX
XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.87:6139" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter"
host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel

I then want to seach again but remove every line that has src="45.148.10.81:18837" OR src="45.148.10.87:6139" OR (the next) OR (the next) OR (and so on for 3000+ IP addresses)

Thus giving me a data set of "known good traffic"

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2024 02:48 PM

Assuming note and src are already extracted, then try something like this

| eventstats values(eval(if(note="ACCESS BLOCK","BLOCKED",null()))) as blocked by src
| where isnull(blocked)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-26-2024 04:44 AM

There can be probably more than one way of doing that. Depending on your actual data (both what it looks like and it's volume characteristics) different ways may be the proper approach in terms of performance.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2024 03:19 AM

Without much detail about your events, it is a little difficult to give detailed answers, so, in general terms, you could search both sources at the same time, then use eventstats to tag the events from the second part of the search with the note from the first part of the search using the ip address to correlate the events. Then you can count the event from the second part of the search which have the note and those that don't

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...