Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Command to identify a Port Scan attack

Kai191
New Member
‎05-13-2013 11:42 PM

Hi, currently I am using t-shark to capture my log on my host and I would like to capture a port scan attack while I am doing my normal stuff on my host like surfing the net.

I plan to identify the attack by the amount of port being access per 30 sec. On top of that I would like to used if the number of source ip and destination ip equal to 172.20.180.27 and 172.20.180.12 packet appear to be the same amount or exceed a certain range, it would prompt an alert.

Is it workable?
If not, are there any Solution??

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-14-2013 12:44 AM

Assuming that you DON'T have these fields extracted already, we'll do that with rex inline in the search;

sourcetype=XXX 
| rex "^\d\d\d\d-\d\d-\d\d\s+\d\d:\d\d:\d\d\.\d{6}\s+(?<src_ip>\S+)\s+->\s+(?<dst_ip>\S+)\s+(?<proto>\w+)\s+(?<YYY>\d+)\s+(?<src_port>\d+)\s+>\s+(?<dst_port>\d+)\s+"
| search dst_ip=172.20.180.27
| timechart span=30s dc(dst_port) by src_ip

The rex command should give you a new set of fields, called src_ip, dst_ip, proto, YYY, src_port and dst_port. What does the YYY number signify? Give it a nicer name if you want. Not used here anyway.

The search after the rex filters out the outbound traffic.

The timechart command will give you a table with the distinct number of ports per source-IP in 30 second time slots.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-14-2013 12:44 AM

Assuming that you DON'T have these fields extracted already, we'll do that with rex inline in the search;

sourcetype=XXX 
| rex "^\d\d\d\d-\d\d-\d\d\s+\d\d:\d\d:\d\d\.\d{6}\s+(?<src_ip>\S+)\s+->\s+(?<dst_ip>\S+)\s+(?<proto>\w+)\s+(?<YYY>\d+)\s+(?<src_port>\d+)\s+>\s+(?<dst_port>\d+)\s+"
| search dst_ip=172.20.180.27
| timechart span=30s dc(dst_port) by src_ip

The rex command should give you a new set of fields, called src_ip, dst_ip, proto, YYY, src_port and dst_port. What does the YYY number signify? Give it a nicer name if you want. Not used here anyway.

The search after the rex filters out the outbound traffic.

The timechart command will give you a table with the distinct number of ports per source-IP in 30 second time slots.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-17-2013 03:39 AM

Sorry, I don't really understand that question.

0 Karma
Reply
Solved! Jump to solution

Kai191
New Member
‎05-17-2013 02:07 AM

With the qns above, if I were to detect a port scan, it's not possible as the number would exceed more high than port scan if I were to used internet, so, any solution??

0 Karma
Reply
Solved! Jump to solution

Kai191
New Member
‎05-14-2013 11:01 PM

Yes it does, a really big thank you.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-14-2013 10:46 AM

Not sure I understand, but dc(dst_port) will return the distinct count, i.e. if the remote user connects 300 times to port 443 and 5 times to port 80, the distinct count is 2.

If you used c(dst_port) instead (c for count), the number would be 305.

If you used values(dst_port) the answer would be: 80, 443

Does this answer your question?

0 Karma
Reply
Solved! Jump to solution

Kai191
New Member
‎05-14-2013 02:39 AM

and if I wan to alert if there is an port scan by 172.20.180.12(attacker) but a refresh on a webpage can sometime shown more than attacker, so what can I do from here??

0 Karma
Reply
Solved! Jump to solution

Kai191
New Member
‎05-13-2013 11:57 PM

172.20.180.12 - attacker
172.20.180.27 - host

0 Karma
Reply
Solved! Jump to solution

Kai191
New Member
‎05-13-2013 11:56 PM

2013-05-13 13:53:17.987923 172.20.180.12 -> 172.20.180.27 TCP 58 55343 > http [SYN] Seq=0 Win=1024 Len=0 MSS=1460

2013-05-13 13:53:21.199414 172.20.180.12 -> 172.20.180.27 TCP 74 44959 > https [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=3518195 TSecr=0 WS=16

2013-05-13 13:53:21.199474 172.20.180.27 -> 172.20.180.12 TCP 74 https > 44959 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1498581 TSecr=3518195

2013-05-13 13:53:21.199568 172.20.180.12 -> 172.20.180.27 TCP 66 44959 > https [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=3518195 TSecr=1498581

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-13-2013 11:52 PM

please post a few sample events.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top