Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

port sweep 1 source to multiple destination to more than 4 dest_ports

rahul_acc_splun
New Member
‎01-09-2018 09:49 AM

This is the query which is for port sweep------- 1source->dest_ips>800->1dest_port
| tstats summariesonly dc(All_Traffic.dest) AS count from datamodel=Network_Traffic by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
| lookup application_protocol_lookup dest_port AS All_Traffic.dest_port transport AS All_Traffic.transport OUTPUT app
| drop_dm_object_name("All_Traffic") | search app=* | search src!="192.168.176.81" | where count>800
What if i want to reframe my query to more than 4 dest_ports -----1source-> dest_ips>800->dest_port>4

can you please help me with this

Tags (1)
0 Karma
Reply

micahkemp
Champion
‎01-09-2018 10:57 AM

Try something like:

| tstats summariesonly dc(All_Traffic.dest) AS count, dc(All_Traffic.dest_port) AS dest_port_count, values(All_Traffic.dest_port) AS dest_port from datamodel=Network_Traffic by All_Traffic.src,All_Traffic.transport
| lookup application_protocol_lookup dest_port AS All_Traffic.dest_port transport AS All_Traffic.transport OUTPUT app 
| drop_dm_object_name("All_Traffic") 
| search app=* dest_port_count>=4 count>800
| search src!="192.168.176.81"

When you want to count the dest_ports, you can't also include that field in your BY clause and included all dest_ports BY src/transport per result. I'm not convinced this is exactly the query you want, but it should point you in the right direction.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...