Solved: The SPL search command about port scanning

xsstest · ‎05-02-2017

Now I'm doing a port scan alert Policy.

Port scanning is a hacker's attack method。I can see its activity track in the firewall。I can see the source IP（scan_sip）, source port and destination IP（scan_dip）, destination port。Too many ports connected log on the firewall。

I passed the following method to extract the port scan behavior.

Set a time range, for example: 60s. And the interval between each event can not be greater than 7s. There are more than 40 elements in the collection. I think he is port scan, how do i search for such events?

I only need scan_sip, scan_dip, the number of elements in the collection

use "transaction"？

dineshraj9 · ‎05-02-2017

Yes, try using transaction command this way -

<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >=40

View solution in original post

dineshraj9 · ‎05-02-2017

Yes, try using transaction command this way -

<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >=40

xsstest · ‎05-02-2017

ok.now, How do I count the number of collections?

I want to get this result：

scan_sip      scan_dip      count

1.1.1.1        2.2.2.2             45

xsstest · ‎05-04-2017

good ! thank you!

xsstest · ‎05-05-2017

If the scan_port (the port following the scan_ip field) is all the same, how do I exclude this group of events

dineshraj9 · ‎05-02-2017

eventcount field gets added automatically as part of transaction command -

<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >40 | rename eventcount as count | table scan_sip scan_dip count

The SPL search command about port scanning

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services