Solved: Tor traffic search feeds

dzejsonborn · ‎08-29-2019

Hi All,

I work with Datamodels, and trying to create search which will alert me about TOR communication.
Having some issues with enrichment. Can somebody help.

| eval TOR="iblocklist_tor"
| lookup ip_intel threat_key as TOR ip as All_Traffic.src_ip OUTPUT ip
| where isnotnull(ip)

Having some issues with enrichment. Can somebody help?

woodcock · ‎09-03-2019

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found

View solution in original post

woodcock · ‎09-03-2019

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found

woodcock · ‎09-01-2019

Show us the first 2 lines in our ip_intel lookup file.

dzejsonborn · ‎09-02-2019

I tried to use this:

| inputintelligence danme_tor_node_list_with_ports
| eval danme_tor_node_list_with_ports="true"
| outputlookup danme_tor_node_list_with_ports.csv
| lookup danme_tor_node_list_with_ports.csv ip name as Tor ip as All_Traffic.src_ip output ip
| where isnotnull(ip)

I do not have enough karma points to attach images

directory_port flags ip name router_port uptime version
"9030" "FHRSDV" "1.9.116.33" "myTORContributionM" "9001" "775237" "Tor 0.3.5.8"
"9030" "FGHRSDV" "100.14.173.231" "throughhere" "9001" "4928658" "Tor 0.3.5.8"

Tor traffic search feeds

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life