Splunk Search

Tor traffic search feeds

New Member

Hi All,

I work with Datamodels, and trying to create search which will alert me about TOR communication.
Having some issues with enrichment. Can somebody help.

| eval TOR="iblocklist_tor"
| lookup ip_intel threat_key as TOR ip as All_Traffic.src_ip OUTPUT ip
| where isnotnull(ip)

Having some issues with enrichment. Can somebody help?

0 Karma
1 Solution

Esteemed Legend

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found

View solution in original post

0 Karma

Esteemed Legend

The problem is that your lookup file does not contain the field threat_key so the right way to use it as-is is like this:

... | lookup ip_intel ip AS All_Traffic.src_ip OUTPUT ip AS was_found
| where isnotnull(was_found)
| fields - was_found

View solution in original post

0 Karma

Esteemed Legend

Show us the first 2 lines in our ip_intel lookup file.

0 Karma

New Member

I tried to use this:

| inputintelligence danme_tor_node_list_with_ports
| eval danme_tor_node_list_with_ports="true"
| outputlookup danme_tor_node_list_with_ports.csv
| lookup danme_tor_node_list_with_ports.csv ip name as Tor ip as All_Traffic.src_ip output ip
| where isnotnull(ip)

I do not have enough karma points to attach images

directory_port flags ip name router_port uptime version
"9030" "FHRSDV" "1.9.116.33" "myTORContributionM" "9001" "775237" "Tor 0.3.5.8"
"9030" "FGHRSDV" "100.14.173.231" "throughhere" "9001" "4928658" "Tor 0.3.5.8"

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!