How do I Search for IP address hitting a specific ...

lucamarc · ‎08-30-2018

I think this should be within my grasp, but I don't seem to be able to create a search that returns what I'm looking for.

I'm trying to return from syslog any IP address that hits a specific port (say 12345), but also attempts connecting to any other ports other than 12345. In my scenario, a well-behaved host should exclusively connect to port 12345 and nothing else.

What I'm coming up with either returns no results or only results matching DPT=12345; it does not return anything in between.

Thanks

horsefez · ‎08-30-2018

Hi @lucamarc,

how about something along those lines.
As you didn't provide any example log data, I'm not sure how your logs look like. --> This is pseudo-code.

index=whatever DPT=* | eval port_type=if(DPT=="12345", "Normal", "Other") | stats values(DPT) by IP, port_type

lucamarc · ‎08-30-2018

Thanks @pyro_wood, I probably didn't explain this very well. I think that what you suggested is returning every host that ever attempted a connection, no matter if it never attempted connecting to port 12345.

I'm only interested in (the very few) IPs that both:
1. connect (or attempt to connect) to port 12345 AND
2. attempted connecting to a different port (any other port)

I'm collecting logs from Ubuntu 18.04 LST servers. This is the query I tried, based on your suggestion:

index="syslog" DPT=* | eval port_type=if(DPT=="12345", "Normal", "Abuser") | stats values(DPT) by SRC, port_type

How do I Search for IP address hitting a specific port + any other ports?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms