Splunk Search

search for IPs in a range (match) or not in a range (exclude)

cthacker
Explorer

I'm trying to filter out my logs for all non campus/company IPs. I'd like to be able to do different searches for "allowed", "deny|denied", etc. to see what connections are being attempted/made.

I followed the directions here:
http://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table

and created a separate csv file currently containing 3 subnets (eg: 123.123.0.0/16) but am not quite able to get the results that I'm looking for. It appears to be working but is drastically filtering out many results when a simple search for "123.123.." returns thousands more.

Using the latest version of Splunk, what is a simple way, or the best practice, for entering in a handful of subnets and then returning results based on whatever other criteria I'm interested in. ("allow*", "deny|denied", ports)

I am a Splunk novice and have just installed the trial so my experience is quite limited.

Thanks

Tags (4)
0 Karma

kristian_kolb
Ultra Champion

Well. In order to make any real sense of your logs, especially if you do any aggregation, you'll want/need to extract the relevant information as fields.

Lookups are based on fields, i.e. given that you have a field 'first_name' with a value 'Bob' in an event, you can call for a lookup that returns the value of the 'last_name' column, on the row where the 'first_name' value is 'Bob'.

first_name  last_name
Alice       Appleby
Bob         Bacon
Crane       Caterpillar

The answer (as always) is Bacon.

NB, lookup files are comma separated. This is just for enchanced readability. You should probably read up on the tutorial section of the docs, which covers both fields and lookups.

Hope this helps,

K

cthacker
Explorer

Accept TCP 114.64.273.236:58543 123.123.10.10:389 out via en0

read_data: read failure for 4 bytes to client 67.35.57.38. Error = Operation timed out

67.31.59.38 (67.31.59.38) closed connection to service clssignage

0 Karma

cthacker
Explorer

I copied the logs from a problematic OSX (*nix) server to a test installation of Splunk on a different server. I don't have the IPs extracted. I haven't read up on how to do that, or the benefits.

Here are some sample events. IPs have been changed to random numbers:

Accepted publickey for root from 12.34.56.78 port 53394 ssh2

Failed none for invalid user carlos from 67.34.56.78 port 37228 ssh2

Packet send failed to 34.44.128.35(137) ERRNO=No route to host

IP 164.64.273.236 - - [26/Aug/2013:15:31:18 -0800] "Saved for Reconnect User: asmith" 1377489588 2822 0

thank you

0 Karma

kristian_kolb
Ultra Champion

What is your input data, i.e. what logs do you use. Please post a few sample events.

Do you have the IP's as extracted fields, or is this purely free-text searching?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...