Splunk Search

create lookup for blacklisted ip address

asharma21193
New Member

I am trying to write a correlation search where I want that if any of host from my internal network (10.0.0.0/8) as a source or destination communicates to any host exist inside the list of blacklist subnet/ip address as mentioned below:

47.114.37.0/24 49.85.84.0/24 61.111.20.129/32 62.217.245.69/32 109.166.202.229/32

 

 

Labels (1)
0 Karma

alonsocaio
Contributor

Hi,

You can try to use some simple search like:

 

index=NETWORK_INDEX src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32)
| stats count by src_ip, dest_ip

 

Or using Network Traffic data model:

 

| from datamodel:Network_Traffic.All_Traffic
| search src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32)
| stats count by src_ip, dest_ip

 

A best approach you can use is using lookups. 

If you have a lookup table with fields similar to IP and STATUS, It is possible to create a lookup definition.

Supposing you have the lookup below, you can create a lookup definition named ip_blacklist:

 

ip,status
47.114.37.0/24,blacklist
49.85.84.0/24,blacklist
61.111.20.129/32,blacklist
62.217.245.69/32,blacklist
109.166.202.229/32,blacklist

 

After that, you can use the lookup and its fields in your search:

 

index=NETWORK_INDEX src_ip=10.0.0.0/8
| lookup ip_blacklist ip as dest_ip OUTPUT status
| where status="blacklist"
| stats count by src_ip, dest_ip

 

Or using Network Traffic data model:

 

| from datamodel:Network_Traffic.All_Traffic
| search src_ip=10.0.0.0/8
| lookup ip_blacklist ip as dest_ip OUTPUT status
| where status="blacklist"
| stats count by src_ip, dest_ip

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!