Solved: How to blacklist lookup for syslogs?

splunkboob · ‎03-30-2022

I have a blacklist.csv file that looks like the following,

IP	domain
1.0.136.29	# 2018-11-12, node-1lp.pool-1-0.dynamic.totbb.net, THA, 2
1.0.136.215	# 2018-10-06, node-1qv.pool-1-0.dynamic.totbb.net, THA, 2

i want to scan my syslog events and see if any IP address match the IPs in this blacklist.

a syslog event looks like this:

Feb 7 03:32:31 Router kernel: [WAN_IN-3009-A]IN=eth0 OUT=eth1.100 MAC=18:e8:29:44:40:ac:00:1d:aa:a2:78:axxxxxx src=128.199.123.0 DST=192.168.100.207 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=52834 DF PROTO=TCP SPT=38290 DPT=8194 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x64800000

i already set up a lookup definition and lookup table, but i dont know exactly how to put up a search to display if a syslog even matches an IP in the blacklist.csv

ITWhisperer · ‎03-30-2022

Assuming src and DST are already extracted and you don't already have a domain field extracted in your events, you could try this:

| lookup blacklist.csv IP as src
| lookup blacklist.csv IP as DST
| where isnotnull(domain)

View solution in original post

ITWhisperer · ‎03-30-2022

Assuming src and DST are already extracted and you don't already have a domain field extracted in your events, you could try this:

| lookup blacklist.csv IP as src
| lookup blacklist.csv IP as DST
| where isnotnull(domain)

How to blacklist lookup for syslogs?

lookup

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!