Splunk Search
Highlighted

Port scan search

Motivator

I am searching for a method to take the ip address port records from traffic coming from the internet onto our network and plot the number of ports per ip address in the time interval with the highest number of ports per ip on top and ignoring low ports/ip if possible for optimization. The goal of this search is to identify port scans and related activity. I have been battling the issue of using dc (direct count) with time chart, and with where, top or sort by using AS to pass the dc information. I currently have a chart which groups many ip addresses into an "Other" data line. My current search looks like this:

sourcetype=target_traffic src_zone=target-INTERNET dst_zone!=target-INTERNET | timechart span=1s dc(dst_port) AS port_scan by src_ip | sort port_scan

(I have modified the search with the string "target" in place of more specific identifiers.)

After the "Other" issue is worked out, I would be interested to have the lower dc(dst_port) values dropped. Are there any issues with the code and what improvements are needed?

0 Karma
Highlighted

Re: Port scan search

Motivator

It won't let me edit the original post so I am adding it here.

Added:
Using eventstats seems to enable the filtering by number of portscan per ip but unlike the timechart's span=1s option to apply the dc(dstport) on 1s window intervals, it grabs the dc(dstport) on the entire search window. Perhaps their is a window option in stats or in streamstats similar to the timechart's time window? The code I am using to add the dc(dstport) filter on the entire search time window is:

| eventstats dc(dst_port) AS port_scan by src_ip | where port_scan > 2 | sort port_scan |
0 Karma
Highlighted

Re: Port scan search

SplunkTrust
SplunkTrust

just before the eventstats, use bucket command and include _time in eventstats.

your search| bucket span=1s time | eventstats dc(dstport) AS portscan by srcip, _time | ....

0 Karma
Highlighted

Re: Port scan search

Motivator

I tried the search, as suggested above. I saw an error in the timechart with having time=1s. I think that error comes from being after the bucket section. I also saw an error with using portscan in timechart instead of dc(dstport), so I adjusted the timechart to go without time=1s and to replace the port_scan with the dc as follows:

my search | bucket span=1s _time | eventstats dc(dst_port) AS port_scan by src_ip, _time | where port_scan > 2 | timechart dc(dst_port) by src_ip

Over the last 4 hours, I see one IP with values of 3 and 6. This should mean that it made 3 port connections and 6 port connections within a single second at two distinct times. A few more IPs are now popping up as well, so I think this is working as intended. Thank you very much for your help.

View solution in original post

0 Karma
Highlighted

Re: Port scan search

Path Finder

As I have understood.. By your search it is like you are counting distinct ports of destination, but you have not specified for single IP or multiple IP.

That is, It will count from one source IP, to multiple destination IP, and it's destination ports visited.

So to get the specific result you can specify destination IP and it should give the right result.

 my search | bucket span=1s _time | eventstats dc(dst_port) AS port_scan by src_ip, dst_ip, _time | where port_scan > 2 | timechart dc(dst_port) by src_ip
0 Karma
Highlighted

Re: Port scan search

Motivator

very interesting perspective. thank you.

0 Karma