Splunk Search

Security search question, F/W log, where one host to multiple host detection.

Communicator

Let assume the following,

  1. the data source for analysis is Firewall traffic log. I guess It could be applied to any firewall since they all have smilar info in the logs.

From the above firewall log, I need to investigate the following :

  1. Get a list of hosts that are sending packets to exccesive amount of hosts (in number of sessions)
  2. Basically I need to create a dashboard that sums up hosts that are making excessive number of sessions.

In order for me to do this, I guess I need to count the number of Destination IP based on Source IPs. I want to create splunk search critiria to accomplish this.

I guess process pattern blow :

IP SRC=10.1.1.7, DEST=211.123.23.4, IP SRC=10.1.1.7, DEST=121.33.13.7, IP SRC=10.1.1.7, DEST=21.13.32.3, IP SRC=10.1.1.7, DEST=172.23.185.5, IP SRC=10.1.1.7, DEST=231.53.2.82, IP SRC=10.1.1.7, DEST=23.35.78.2, IP SRC=10.1.1.7, DEST=221.73.5.123, IP SRC=10.1.1.7, DEST=81.33.98.44, IP SRC=10.1.1.7, DEST=78.19.21.25, IP SRC=10.1.1.7, DEST=62.53.76.89, IP SRC=10.1.1.7, DEST=2341.3.2.125,

To get results like :

10.2.7.32 87 Connections 10.1.1.7 11 Connections

etc..

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Seems to me that simple:

... | stats distinct_count(DEST) by SRC

or

... | stats count by DEST,SRC | stats count by SRC 

would do it.