Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can i filter out source IP addresses, based on results from previous search (syslog in splunk)

MrSuperSeven
New Member
‎08-26-2024 02:08 AM

HI, I have a customer using splunk for just syslog. 

There has recently been a ddos attack, we are looking to report on how much traffic came from the known ddos hosts.

In the syslog the router has flagged the known IP's as >

msg="torproject.org:Anonymizers, SSI:N" note="ACCESS BLOCK"

We can search for this fine, however there is a preceding entry for the sending IP address that is in the syslog where the router has forwarded this from firewall to its ip address check phase. 

We are looking to get total rows of all traffic from ddos hosts

So we search for "torproject" we then want to search again for all ip's that appeared in that first search. Then extract from that search every "src="103.76.173.203:7627" then search for all those

Any ideas please?

End goal = how much traffic was from ddos hosts and how much wasnt (as a rough %)

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

MrSuperSeven
New Member
‎08-26-2024 12:17 PM

Thanks for reponse. Ill get into tomorrow.

More info. Its all the one source in splunk (1 x syslog spanning 30 days)

My search = "ACCESS BLOCK"

My results are many rows of =

XXXXXXXXXXX
XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.81:18837" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter"
host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel
XXXXXXXXXXX
XXXXXXXXXXX XXXXXXXXXXX Local1.Warning 172.30.31.4 Aug 12 23:16:09 2024 CXXXXXXXXXXX0 src="45.148.10.87:6139" dst="XXXXXXXXXXX:443" msg="surfshark.com:Anonymizers, SSI:N" note="ACCESS BLOCK" user="unknown" devID="XXXXXXXXXXX" cat="URL Threat Filter"
host = XXXXXXXXXXX.splunkcloud.comsource = Syslog-CatchAll2024-08-12.txtsourcetype = 1-Zyxel

I then want to seach again but remove every line that has src="45.148.10.81:18837" OR src="45.148.10.87:6139" OR (the next) OR (the next) OR (and so on for 3000+ IP addresses)

Thus giving me a data set of "known good traffic"

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2024 02:48 PM

Assuming note and src are already extracted, then try something like this

| eventstats values(eval(if(note="ACCESS BLOCK","BLOCKED",null()))) as blocked by src
| where isnull(blocked)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-26-2024 04:44 AM

There can be probably more than one way of doing that. Depending on your actual data (both what it looks like and it's volume characteristics) different ways may be the proper approach in terms of performance.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2024 03:19 AM

Without much detail about your events, it is a little difficult to give detailed answers, so, in general terms, you could search both sources at the same time, then use eventstats to tag the events from the second part of the search with the note from the first part of the search using the ip address to correlate the events. Then you can count the event from the second part of the search which have the note and those that don't

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top