Splunk Search
Highlighted

How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?

New Member

I'd like to find users with activity in every 1/3/5 minute bucket in the last 24 hours as the indication of possible malware/botnet beaconing.

Let's say I have sourcetype=firewall and bytesout/packetsout for activity and src_user for user.

Any idea how to write such search?

0 Karma
Highlighted

Re: How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?

SplunkTrust
SplunkTrust

Something like this. You can update the span per your need.

index=YourINdex sourcetype=firewall | bucket span=1m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user
0 Karma
Highlighted

Re: How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?

New Member

How would you filter it further to get only the users that have packets_out > 10 in every 5 min bucket?

0 Karma
Highlighted

Re: How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?

SplunkTrust
SplunkTrust

With current query, it's giving you total packets sent by activity-srcuser combination for every minute. For get "only the users that have packetsout > 10 in every 5 min bucket", first change the span to 5m and use where clause to filter it.

index=YourINdex sourcetype=firewall | bucket span=5m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user | where packets_out>10
0 Karma
Highlighted

Re: How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?

New Member

Yes, but it only gives users with activity in each bucket.

Let's say we have three buckets:
bucket1:
user1,user2,user3
bucket2:
user1,user4,user5
bucket3:
user1,user4,user6

So, I want to display only the usernames with activity in all buckets, so in this case it's only user1.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.