Splunk Search

How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

wingfieldj
Explorer

Using syslog data, how do I find if 3 systems go to a common webpage in a 48 hour period?

I have 3 IP sources with OR between them in a search...

Do you pipe this to associate and find the destination IP addresses in common?

Rare values do not seem to work...

Jim W.

Tags (3)
0 Karma

sundareshr
Legend

Try this to list all dest_ip visited by all three src_ip in the past 2 days

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC earliest=-2d@d | stats dc(src_ip) as src by dest_ip | where src=3 | table dest_ip 
0 Karma

wingfieldj
Explorer

thanks for your responses....
so new to complex searches...

Restating the scenario: Using the firewall logs, I am trying to find common website/destination IP that 3 known users have in common...due to bad guy activity on the src_IP, like malware

So I could set a custom filter for the block of time...to remove that complexity.

I tried the following - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=2d _time  |  stats dc(src_ip) as ips by  dest_ip

The following had 12000 events no matches...But I know they all three had gone to the same dst_ip in the last 2 hours...

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=120m _time  |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - Error in Stats command

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC |  stats count(src_ip) as COUNT dst_ip src_ip

The following with custom time set results in 10085

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC| stats count(src_ip) as COUNT
0 Karma

somesoni2
Revered Legend

Can you check if the field dest_ip existing in your events and both src_ip and dest_ip appears in the same event? Your first two searches should've returned result if both fields exists.

0 Karma

wingfieldj
Explorer

yes src_ip and dst_ip are in the same event

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | top 10 dst_ip

results in 10 ip addresses...and clicking on the ip address will show the events for each of the addresses in the search and some additional addresses...so that is almost it ( not exclusive to the three listed ips)

0 Karma

somesoni2
Revered Legend

There you go, the field name that you were trying is different in your logs (it's dst_ip instead of dest_ip).

This should work now

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=2d _time | stats dc(src_ip) as ips by dst_ip
0 Karma

somesoni2
Revered Legend

Without knowing much about your data/queries, give this a try. This is assuming src_ip and dest_ip fields are extracted.
Update
Updating the field name per comment below

index=foo sourcetype=bar src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 
| bucket span=2d _time | stats dc(src_ip) as ips by _time dst_ip | where ips=3
0 Karma

JDukeSplunk
Builder

Sample data would be good.

I usually have to enclose my OR searches.

 (10.0.0.0 OR 10.0.0.1 OR 10.0.0.2)

Even better if your fields are extracted. Source and destination IP.

yourbasesearch | stats count(sourceip) as COUNT destinationip sourceip
0 Karma

somesoni2
Revered Legend

Please post some sample data, queries that you tried so far and expected output.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...