Splunk Search

Search Command to identify a Port Scan attack

New Member

Hi, currently I am using t-shark to capture my log on my host and I would like to capture a port scan attack while I am doing my normal stuff on my host like surfing the net.

I plan to identify the attack by the amount of port being access per 30 sec. On top of that I would like to used if the number of source ip and destination ip equal to 172.20.180.27 and 172.20.180.12 packet appear to be the same amount or exceed a certain range, it would prompt an alert.

Is it workable?
If not, are there any Solution??

0 Karma
1 Solution

Ultra Champion

Assuming that you DON'T have these fields extracted already, we'll do that with rex inline in the search;

sourcetype=XXX 
| rex "^\d\d\d\d-\d\d-\d\d\s+\d\d:\d\d:\d\d\.\d{6}\s+(?<src_ip>\S+)\s+->\s+(?<dst_ip>\S+)\s+(?<proto>\w+)\s+(?<YYY>\d+)\s+(?<src_port>\d+)\s+>\s+(?<dst_port>\d+)\s+"
| search dst_ip=172.20.180.27
| timechart span=30s dc(dst_port) by src_ip

The rex command should give you a new set of fields, called src_ip, dst_ip, proto, YYY, src_port and dst_port. What does the YYY number signify? Give it a nicer name if you want. Not used here anyway.

The search after the rex filters out the outbound traffic.

The timechart command will give you a table with the distinct number of ports per source-IP in 30 second time slots.

Hope this helps,

Kristian

View solution in original post

Ultra Champion

Assuming that you DON'T have these fields extracted already, we'll do that with rex inline in the search;

sourcetype=XXX 
| rex "^\d\d\d\d-\d\d-\d\d\s+\d\d:\d\d:\d\d\.\d{6}\s+(?<src_ip>\S+)\s+->\s+(?<dst_ip>\S+)\s+(?<proto>\w+)\s+(?<YYY>\d+)\s+(?<src_port>\d+)\s+>\s+(?<dst_port>\d+)\s+"
| search dst_ip=172.20.180.27
| timechart span=30s dc(dst_port) by src_ip

The rex command should give you a new set of fields, called src_ip, dst_ip, proto, YYY, src_port and dst_port. What does the YYY number signify? Give it a nicer name if you want. Not used here anyway.

The search after the rex filters out the outbound traffic.

The timechart command will give you a table with the distinct number of ports per source-IP in 30 second time slots.

Hope this helps,

Kristian

View solution in original post

Ultra Champion

Sorry, I don't really understand that question.

0 Karma

New Member

With the qns above, if I were to detect a port scan, it's not possible as the number would exceed more high than port scan if I were to used internet, so, any solution??

0 Karma

New Member

Yes it does, a really big thank you.

0 Karma

Ultra Champion

Not sure I understand, but dc(dst_port) will return the distinct count, i.e. if the remote user connects 300 times to port 443 and 5 times to port 80, the distinct count is 2.

If you used c(dst_port) instead (c for count), the number would be 305.

If you used values(dst_port) the answer would be: 80, 443

Does this answer your question?

0 Karma

New Member

and if I wan to alert if there is an port scan by 172.20.180.12(attacker) but a refresh on a webpage can sometime shown more than attacker, so what can I do from here??

0 Karma

New Member

172.20.180.12 - attacker
172.20.180.27 - host

0 Karma

New Member

2013-05-13 13:53:17.987923 172.20.180.12 -> 172.20.180.27 TCP 58 55343 > http [SYN] Seq=0 Win=1024 Len=0 MSS=1460

2013-05-13 13:53:21.199414 172.20.180.12 -> 172.20.180.27 TCP 74 44959 > https [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=3518195 TSecr=0 WS=16

2013-05-13 13:53:21.199474 172.20.180.27 -> 172.20.180.12 TCP 74 https > 44959 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1498581 TSecr=3518195

2013-05-13 13:53:21.199568 172.20.180.12 -> 172.20.180.27 TCP 66 44959 > https [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=3518195 TSecr=1498581

0 Karma

Ultra Champion

please post a few sample events.

0 Karma