Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for IP addresses that have been hit on more than one port within a short period of time?

Securitas
Engager
‎12-15-2015 03:00 PM

I have been trying to figure out on how to do a search for IP addresses that were hit on more than one Port in a short period of time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-15-2015 03:56 PM

Hi Securitas,

all based on assumption, because you did not provide sample data and the search you're using - so I'll use a basic run everywhere example to construct an event and a search. I indexed a file containing this data as sourcetype=ip_port:

time=10:01 ip=1.1.1.1 port=22
time=10:02 ip=1.1.1.1 port=23
time=10:02 ip=2.2.2.2 port=23
time=10:02 ip=2.2.2.2 port=21
time=10:03 ip=1.1.1.1 port=80

Running this search will return connects to more than one port by time:

sourcetype="ip_port" | stats count(port) AS Port_count by time, ip | where Port_count>1

If you want to check over 2 minutes use this search (Note: the first line is only needed to construct a useable _time value):

sourcetype="ip_port" | addinfo | eval _time=_indextime 
| bin _time span=2min | stats count(port) AS Port_count by _time, ip | where Port_count>1

If you want to see which IP's got connection to the same port at the same time use this:

sourcetype="ip_port" | chart values(port) AS ports over time by ip

Hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-15-2015 03:56 PM

Hi Securitas,

all based on assumption, because you did not provide sample data and the search you're using - so I'll use a basic run everywhere example to construct an event and a search. I indexed a file containing this data as sourcetype=ip_port:

time=10:01 ip=1.1.1.1 port=22
time=10:02 ip=1.1.1.1 port=23
time=10:02 ip=2.2.2.2 port=23
time=10:02 ip=2.2.2.2 port=21
time=10:03 ip=1.1.1.1 port=80

Running this search will return connects to more than one port by time:

sourcetype="ip_port" | stats count(port) AS Port_count by time, ip | where Port_count>1

If you want to check over 2 minutes use this search (Note: the first line is only needed to construct a useable _time value):

sourcetype="ip_port" | addinfo | eval _time=_indextime 
| bin _time span=2min | stats count(port) AS Port_count by _time, ip | where Port_count>1

If you want to see which IP's got connection to the same port at the same time use this:

sourcetype="ip_port" | chart values(port) AS ports over time by ip

Hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

Securitas
Engager
‎12-16-2015 10:45 AM

Thanks. That's within the confines of what I was looking for.

Cheers Mate.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...