Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I Search for IP address hitting a specific port + any other ports?

lucamarc
Path Finder
‎08-30-2018 01:50 PM

I think this should be within my grasp, but I don't seem to be able to create a search that returns what I'm looking for.

I'm trying to return from syslog any IP address that hits a specific port (say 12345), but also attempts connecting to any other ports other than 12345. In my scenario, a well-behaved host should exclusively connect to port 12345 and nothing else.

What I'm coming up with either returns no results or only results matching DPT=12345; it does not return anything in between.

Thanks

0 Karma
Reply

horsefez
Motivator
‎08-30-2018 02:40 PM

Hi @lucamarc,

how about something along those lines.
As you didn't provide any example log data, I'm not sure how your logs look like. --> This is pseudo-code.

index=whatever DPT=* | eval port_type=if(DPT=="12345", "Normal", "Other") | stats values(DPT) by IP, port_type

0 Karma
Reply

lucamarc
Path Finder
‎08-30-2018 09:25 PM

Thanks @pyro_wood, I probably didn't explain this very well. I think that what you suggested is returning every host that ever attempted a connection, no matter if it never attempted connecting to port 12345.

I'm only interested in (the very few) IPs that both:
1. connect (or attempt to connect) to port 12345 AND
2. attempted connecting to a different port (any other port)

I'm collecting logs from Ubuntu 18.04 LST servers. This is the query I tried, based on your suggestion:

index="syslog" DPT=* | eval port_type=if(DPT=="12345", "Normal", "Abuser") | stats values(DPT) by SRC, port_type
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...