Re: port sweep 1 source to multiple destination to...

rahul_acc_splun · ‎01-09-2018

This is the query which is for port sweep------- 1source->dest_ips>800->1dest_port
| tstats summariesonly dc(All_Traffic.dest) AS count from datamodel=Network_Traffic by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port
| lookup application_protocol_lookup dest_port AS All_Traffic.dest_port transport AS All_Traffic.transport OUTPUT app
| drop_dm_object_name("All_Traffic") | search app=* | search src!="192.168.176.81" | where count>800
What if i want to reframe my query to more than 4 dest_ports -----1source-> dest_ips>800->dest_port>4

can you please help me with this

micahkemp · ‎01-09-2018

Try something like:

| tstats summariesonly dc(All_Traffic.dest) AS count, dc(All_Traffic.dest_port) AS dest_port_count, values(All_Traffic.dest_port) AS dest_port from datamodel=Network_Traffic by All_Traffic.src,All_Traffic.transport
| lookup application_protocol_lookup dest_port AS All_Traffic.dest_port transport AS All_Traffic.transport OUTPUT app 
| drop_dm_object_name("All_Traffic") 
| search app=* dest_port_count>=4 count>800
| search src!="192.168.176.81"

When you want to count the dest_ports, you can't also include that field in your BY clause and included all dest_ports BY src/transport per result. I'm not convinced this is exactly the query you want, but it should point you in the right direction.

port sweep 1 source to multiple destination to more than 4 dest_ports

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor