Hello all,
I have some IDS alerts "top src_ip,dest_ip" in which I want to see if the dest_ip is contacting the src_ip's. This would lead me to investigate the communications between the 2 IP's, else if the dest_ip is not communicating back, I would ignore and move on.
Top Src_IP (Internet) -> Top Dest_IP (Local) | HitCount
**1.2.3.4** -> 192.168.1.2 | 254
**4.3.2.1** -> 192.168.1.4 | 245
Lookup Table (Src_IP)
**1.2.3.4**
**4.3.2.1**
Search question: Is the Top Dest_IP's (Local) contacting back to Lookup Table Src_IP's (Internet):
Top Dest_IP (*aka new Src_IP*) -> Top Src_IP (* aka new Dest_IP*) | HitCount
192.168.1.2 -> **1.2.3.4** | 20
192.168.1.4 -> **4.3.2.1** | 30
I have been working with something like this: source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest | table src_ip ] | top dest_ip,src_ip
I'm not getting any results -- I humbly assume it's my error -- I should be seeing some communication back.
Please double-check my design and thank you for all the help.
Give this a try
source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip
Added swap of src_ip as new destination:
source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | rename src_ip AS newDest | table newDest ] | rename dest_ip AS newSrc | top newSrc,newDest
Your rename command should rename the field according to the name it's available in your logs (the field name in your logs (source="/var/log/alerts.log"
) is src_ip and dest_ip, so the subsearch should return field either src_ip or dest_ip.
Thank you for the clarification. I need to learn more about how searching works. I was trying to use temp vars as in programming.
Give this a try
source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip
One caveat, remove the dest_ip="192.168.*" from the secondary search due to search collisions, such as src_ip="192.168.*" && dest_ip="192.168.*"
source="/var/log/alerts.log" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | top dest_ip,src_ip
Added better stats (single src to multiple dest):
source="/var/log/alerts.log" [ search source="/var/log/alerts.log" dest_ip="192.168.*") | top src_ip,dest_ip | table dest_ip | rename dest_ip as src_ip ] | stats values(dest_ip),values(name),count(name) by src_ip | sort - count(name)
That worked as expected. I would like to give you credit if you can make this an answer instead of a comment.
Here you go.