Splunk Search

Matching both sides of two kv pairs over time

pde
Path Finder

I have a small DTrace app that monitors ARP requests and replies, producing output like this:

 2010 Sep  1 03:10:08 [type=Reply][senderMAC=0:3:ba:d1:1e:17][senderIP=1.2.3.4][targetMAC=0:1:d7:3b:55:44][targetIP=1.2.3.5]

I'm interested in knowing if any (senderMAC, senderIP) pair differs from previously seen instances over some period of time, in roughly the way that arpwatch would alert me of a change.

Can't quite work out a strategy for this in Splunk. Any help?

Tags (1)
0 Karma

southeringtonp
Motivator

Probably needs tweaking, but these should give you some ideas...


Simplest approach

Look over some period for any cases where one IP address has more than one MAC address:

eventtype=foo | stats dc(senderMAC) as MACCount list(senderMAC) by senderIP
    | search MACCount > 1


Track all New MACs for a given IP

Search 1 -- Tracking:

eventtype=foo | dedup senderIP, senderMAC | fields senderIP, senderMAC
    | outputlookup arplookup

Search 2 -- Alerting:

eventtype=foo | dedup senderIP, senderMAC
   | lookup arplookup senderIP OUTPUT senderMAC as oldMAC
   | search oldMAC=* NOT senderMAC=oldMAC


Track all New MAC-IP Pairs

This should have the (desirable or undesirable) side effect of also alerting on all new pairs, not just when a MAC address changes...

Search 1 -- Tracking:

eventtype=foo | dedup senderMAC, senderIP | eval knownpair =1
    | fields senderMAC,senderIP,knownpair | outputlookup macpairs

Search 2 -- Alerting:

eventtype=foo | lookup macpairs senderMAC, senderIP OUTPUT knownpair
    | search NOT knownpair=1

pde
Path Finder

Ah, jeeze, a lookup table. I should have thought of that.

Thank you!

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...