Splunk Search

Tor traffic search feeds

dzejsonborn
New Member

Hi All,

I work with Datamodels, and trying to create search which will alert me about TOR communication.
Having some issues with enrichment. Can somebody help.

| eval TOR="iblocklist_tor"
| lookup ip_intel threat_key as TOR ip as All_Traffic.src_ip OUTPUT ip
| where isnotnull(ip)

Having some issues with enrichment. Can somebody help?

0 Karma
1 Solution

woodcock
Esteemed Legend

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found

View solution in original post

0 Karma

woodcock
Esteemed Legend

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found
0 Karma

woodcock
Esteemed Legend

Show us the first 2 lines in our ip_intel lookup file.

0 Karma

dzejsonborn
New Member

I tried to use this:

| inputintelligence danme_tor_node_list_with_ports
| eval danme_tor_node_list_with_ports="true"
| outputlookup danme_tor_node_list_with_ports.csv
| lookup danme_tor_node_list_with_ports.csv ip name as Tor ip as All_Traffic.src_ip output ip
| where isnotnull(ip)

I do not have enough karma points to attach images

directory_port flags ip name router_port uptime version
"9030" "FHRSDV" "1.9.116.33" "myTORContributionM" "9001" "775237" "Tor 0.3.5.8"
"9030" "FGHRSDV" "100.14.173.231" "throughhere" "9001" "4928658" "Tor 0.3.5.8"

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...