Splunk Search

How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period?

Explorer

Using syslog data, how do I find if 3 systems go to a common webpage in a 48 hour period?

I have 3 IP sources with OR between them in a search...

Do you pipe this to associate and find the destination IP addresses in common?

Rare values do not seem to work...

Jim W.

Tags (3)
0 Karma

Legend

Try this to list all destip visited by all three srcip in the past 2 days

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC earliest=-2d@d | stats dc(src_ip) as src by dest_ip | where src=3 | table dest_ip 
0 Karma

Explorer

thanks for your responses....
so new to complex searches...

Restating the scenario: Using the firewall logs, I am trying to find common website/destination IP that 3 known users have in common...due to bad guy activity on the src_IP, like malware

So I could set a custom filter for the block of time...to remove that complexity.

I tried the following - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=2d _time  |  stats dc(src_ip) as ips by  dest_ip

The following had 12000 events no matches...But I know they all three had gone to the same dst_ip in the last 2 hours...

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC | bucket span=120m _time  |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - no results

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333  type=TRAFFIC |  stats dc(src_ip) as ips by  dest_ip

I tried the following custom time set - Error in Stats command

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC |  stats count(src_ip) as COUNT dst_ip src_ip

The following with custom time set results in 10085

(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333)  type=TRAFFIC| stats count(src_ip) as COUNT
0 Karma

SplunkTrust
SplunkTrust

Can you check if the field destip existing in your events and both srcip and dest_ip appears in the same event? Your first two searches should've returned result if both fields exists.

0 Karma

Explorer

yes srcip and dstip are in the same event

srcip=111.111.111.111 OR srcip=222.222.222.222 OR srcip=333.333.333 type=TRAFFIC | top 10 dstip

results in 10 ip addresses...and clicking on the ip address will show the events for each of the addresses in the search and some additional addresses...so that is almost it ( not exclusive to the three listed ips)

0 Karma

SplunkTrust
SplunkTrust

There you go, the field name that you were trying is different in your logs (it's dstip instead of destip).

This should work now

src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=2d _time | stats dc(src_ip) as ips by dst_ip
0 Karma

SplunkTrust
SplunkTrust

Without knowing much about your data/queries, give this a try. This is assuming srcip and destip fields are extracted.
Update
Updating the field name per comment below

index=foo sourcetype=bar src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 
| bucket span=2d _time | stats dc(src_ip) as ips by _time dst_ip | where ips=3
0 Karma

Builder

Sample data would be good.

I usually have to enclose my OR searches.

 (10.0.0.0 OR 10.0.0.1 OR 10.0.0.2)

Even better if your fields are extracted. Source and destination IP.

yourbasesearch | stats count(sourceip) as COUNT destinationip sourceip
0 Karma

SplunkTrust
SplunkTrust

Please post some sample data, queries that you tried so far and expected output.

0 Karma