Let assume the following,
- the data source for analysis is Firewall traffic log. I guess It could be applied to any firewall since they all have smilar info in the logs.
From the above firewall log, I need to investigate the following :
- Get a list of hosts that are sending packets to exccesive amount of hosts (in number of sessions)
- Basically I need to create a dashboard that sums up hosts that are making excessive number of sessions.
In order for me to do this, I guess I need to count the number of Destination IP based on Source IPs. I want to create splunk search critiria to accomplish this.
I guess process pattern blow :
IP SRC=10.1.1.7, DEST=211.123.23.4,
IP SRC=10.1.1.7, DEST=121.33.13.7,
IP SRC=10.1.1.7, DEST=21.13.32.3,
IP SRC=10.1.1.7, DEST=172.23.185.5,
IP SRC=10.1.1.7, DEST=231.53.2.82,
IP SRC=10.1.1.7, DEST=23.35.78.2,
IP SRC=10.1.1.7, DEST=221.73.5.123,
IP SRC=10.1.1.7, DEST=81.33.98.44,
IP SRC=10.1.1.7, DEST=78.19.21.25,
IP SRC=10.1.1.7, DEST=62.53.76.89,
IP SRC=10.1.1.7, DEST=2341.3.2.125,
To get results like :
10.2.7.32 87 Connections
10.1.1.7 11 Connections
etc..
