Solved: Tor traffic search feeds

dzejsonborn · ‎08-29-2019

Hi All,

I work with Datamodels, and trying to create search which will alert me about TOR communication.
Having some issues with enrichment. Can somebody help.

| eval TOR="iblocklist_tor"
| lookup ip_intel threat_key as TOR ip as All_Traffic.src_ip OUTPUT ip
| where isnotnull(ip)

Having some issues with enrichment. Can somebody help?

woodcock · ‎09-03-2019

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found

View solution in original post

woodcock · ‎09-03-2019

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found

woodcock · ‎09-01-2019

Show us the first 2 lines in our ip_intel lookup file.

dzejsonborn · ‎09-02-2019

I tried to use this:

| inputintelligence danme_tor_node_list_with_ports
| eval danme_tor_node_list_with_ports="true"
| outputlookup danme_tor_node_list_with_ports.csv
| lookup danme_tor_node_list_with_ports.csv ip name as Tor ip as All_Traffic.src_ip output ip
| where isnotnull(ip)

I do not have enough karma points to attach images

directory_port flags ip name router_port uptime version
"9030" "FHRSDV" "1.9.116.33" "myTORContributionM" "9001" "775237" "Tor 0.3.5.8"
"9030" "FGHRSDV" "100.14.173.231" "throughhere" "9001" "4928658" "Tor 0.3.5.8"

Tor traffic search feeds

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?