Splunk Search

How do you search port ranges and match to service?

MABurberry
Engager

Hi Guys,

I hope someone can help me?

I'm looking to search through several port ranges and match against one or multiple services that the port ranges match.

For example:

From_Port To_Port            Service
3600            3389                MySQL RDP

Right now, my search is only matching on the first value which is MySQL and not MySQL and RDP.

Does anyone have a smart way of doing this? I believe you can use a lookup, but you need to specific each port and the ranges are massive.

Cheers

0 Karma

woodcock
Esteemed Legend

Create a lookup called AppPortLookup which has entries like this:

app    port
ssl    443,8443
http   80,443

Then, you can do something like this:

| tstats summariesonly=true count min(_time) AS firstTime max(_time) AS lastTime 
FROM datamodel=Network_Traffic 
WHERE
   [|inputlookup AppPortLookup 
   | rename app AS All_Traffic.app
   | rename port AS All_Traffic.dest_port
   | format
   | rex field=search mode=sed "s/AND \"All_Traffic.dest_port\"=/AND NOT \"All_Traffic.dest_port\" IN(/g s/ \) /) ) /g s/,/\",\"/g" ]
BY All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port
0 Karma

nickhills
Ultra Champion

A lookup is a good approach for this - but yes you would need to specify each of the ports to make the reporting comprehensive, and there are a number of services which share ports with other applications. However you can download a ready made CSV list of all the assigned ports from here:

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

This would give you a head start, but if you have custom apps/services you may want to consider manually adding these to your lookup.

Also - this file is quite big, so you may wish to consider loading it into KV store instead of a CSV lookup.

If my comment helps, please give it a thumbs up!
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!