Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The SPL search command about port scanning

xsstest
Communicator
‎05-02-2017 12:07 AM

Now I'm doing a port scan alert Policy.

Port scanning is a hacker's attack method。I can see its activity track in the firewall。I can see the source IP(scan_sip), source port and destination IP(scan_dip), destination port。Too many ports connected log on the firewall。

I passed the following method to extract the port scan behavior.

Set a time range, for example: 60s. And the interval between each event can not be greater than 7s. There are more than 40 elements in the collection. I think he is port scan, how do i search for such events?

I only need scan_sip, scan_dip, the number of elements in the collection

use "transaction"?

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-02-2017 12:23 AM

Yes, try using transaction command this way -

<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >=40

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-02-2017 12:23 AM

Yes, try using transaction command this way -

<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >=40
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎05-02-2017 02:56 AM

ok.now, How do I count the number of collections?

I want to get this result:

scan_sip      scan_dip      count

1.1.1.1        2.2.2.2             45
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎05-04-2017 07:08 PM

good ! thank you!

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎05-05-2017 04:35 AM

If the scan_port (the port following the scan_ip field) is all the same, how do I exclude this group of events

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-02-2017 03:00 AM

eventcount field gets added automatically as part of transaction command -

<your search> | transaction maxpause=7s maxspan=60s scan_sip scan_dip | where eventcount >40 | rename eventcount as count | table scan_sip scan_dip count
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...