Splunk Search

How to search cisco firewall Deny actions based on internal source IPs against multiple external IP subnets?

artheb
New Member

Hi There,

This is my first post so wanted to say Hello!
I am trying to create an alert for possible Deny action on our firewall from 3 different internal IPs against multiple external IP subnets not single IPs.

I found this post http://answers.splunk.com/answers/57094/join-ip-with-a-subnet.html
and created ip_lookups.csv and transforms.conf

ip_lookups.csv has following format (ip ranges changed for demo purpose)
ip,location
200.100.32.0/19,target1 255.255.224.0
100.200.30.0/19,target2 255.255.224.0
50.60.80.0/20,target3 255.255.240.0

Could you advise on how to create a search rule to reflect the target subnets based on the ip_lookups.csv, please? Maybe there is a better way of doing it.
Thanks.

0 Karma

thomrs
Communicator

This works:

* | head 1 | eval ip = "192.168.0.11" | search ip=192.168.0.1/24
0 Karma

artheb
New Member

I tried to put it in my full search but it does not seem to work.

sourcetype=syslog source=/opt/splunk/rsyslog/udp/cisco.log host=firewall1 Deny tcp src 
|head 1 |  eval ip=“10.10.10.101” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]
| append [head 2 |  eval ip=“10.10.10.102” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]
| append [head 3 |  eval ip=“10.10.10.103” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]

Could you advise, please?

0 Karma

artheb
New Member

Anyone could help on this?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...