Splunk Search

How to edit my search to find firewall logs with excessive accepts from multiple sources to a single destination?

Path Finder

Hello,

I am looking for information on how I would go about monitoring firewall logs with excessive accepts to the same destination for at least 50 source IP address in 5 minutes.

Currently, I have the search below, but I am not sure how to create the correlation logic to work.

sourcetype=firewall action=accept| transaction SourceIP maxevents=100 maxpause=5m |stats values(DestIP) by SourceIP 
0 Karma
1 Solution

Motivator

So sundareshr's queries are good ways to see the conditions you mention over time. The question is what do you want to do with this information? If it is to take some sort of action (run a script, alert, etc) then I'd move from timechart to stats and schedule the search to run every 5 min. The other question I have is if you are going to take some action I'd build an eventtype that looks at IP information to determine if traffic is originating external to your org and coming in, originating inside and going out, inside and staying inside, and outside and going outside (useful for detecting misconfigs or where you need to update your eventtype. In my environment those are ext_to_int, int_to_ext, int_to_int, and ext_to_ext respectively. The query I'd propose, assuming this is scheduled and assuming you are looking for something like a DOS, is

sourcetype=firewall action=accept eventtype=ext_to_int | stats dc(SourceIP) as SourceIPs by DestIP | where SourceIPs > 50

I'd also recommend checking out Splunk's common information model (CIM) and suggest changing the field names/introducing field aliases so that SourceIP is src_ip and DestIP is dest_ip,

View solution in original post

Motivator

So sundareshr's queries are good ways to see the conditions you mention over time. The question is what do you want to do with this information? If it is to take some sort of action (run a script, alert, etc) then I'd move from timechart to stats and schedule the search to run every 5 min. The other question I have is if you are going to take some action I'd build an eventtype that looks at IP information to determine if traffic is originating external to your org and coming in, originating inside and going out, inside and staying inside, and outside and going outside (useful for detecting misconfigs or where you need to update your eventtype. In my environment those are ext_to_int, int_to_ext, int_to_int, and ext_to_ext respectively. The query I'd propose, assuming this is scheduled and assuming you are looking for something like a DOS, is

sourcetype=firewall action=accept eventtype=ext_to_int | stats dc(SourceIP) as SourceIPs by DestIP | where SourceIPs > 50

I'd also recommend checking out Splunk's common information model (CIM) and suggest changing the field names/introducing field aliases so that SourceIP is src_ip and DestIP is dest_ip,

View solution in original post

Legend

Try this. For DestIP, it will show count of requests and the SourceIP accepted.

sourcetype=firewall action=accept | timechart span=5m values(SourceIP) as SourceIP  count by DestIP | where count>50

*OR*

sourcetype=firewall action=accept | timechart span=5m values(SourceIP) as SourceIP  dc(SouceIP) as count by DestIP | where count>50
0 Karma