This search only searches for a set of log messages that contains TCP protocol, info field value that contains syn, the same dest field value and eventcount >= 20 (for 20 consecutive log messages). How do i change this search expression that includes checking if any messages that contains log messages that contains TCP protocol, same dest field and info field value contains FIN and ACK such that splunk produce the same result. protocol="TCP" |where match(info, "SYN") |transaction dest |search eventcount>=20 ... View more

Lets say I have Splunk that monitors a log file that contains two log messages that look like this : Tue Mar 06 07:41:28 SGT 2012 no = 8 time = 30.614993 src = 10.1.1.1 dest = 129.111.30.27 protocol = IPv4 length = 70 info = "Fragmented IP protocol (proto=UDP 0x11, off=0, ID=00f2) " Tue Mar 06 07:41:29 SGT 2012 no = 9 time = 30.615348 src = 10.1.1.1 dest = 129.111.30.27 protocol = UDP length = 38 info = "Source port: 31915 Destination port: 20197 [BAD UDP LENGTH 36 > IP PAYLOAD LENGTH] " I would like to have the ALERT triggered in real time whenever Splunk detects these two messages that contains the same src field value same dest field value and info that contains this value "Fragmented IP protocol (proto=UDP 0x11, off=0, ID=00f2)" and info that contains "Source port: 31915 Destination port: 20197 [BAD UDP LENGTH 36 > IP PAYLOAD LENGTH] " What would be the custom condition ? ... View more

I monitored a log file located in my local PC using Splunk. I created the alert that that monitor matching results in real time within a rolling window. In the splunk search app, i click create>alerts. I followed the steps to create that kind of alert in the splunk's documentation. I created the alerts in the alert manager. After creating, i went to the Manager>Searches and reports>SYN-Flood Alert(The name of the alert) to change the Splunk's search command so that the search command would match whenever the log data matches the search then the alert will be triggered. However, i do not see the alerts triggered immediately after i created the alert and modified the search command for that particular alert. Why is this so? Is there any way that i can make sure the alert is triggered in the alert manager? ... View more

I would like to use Splunk to detect Denial of Service log anomaly. I used Wireshark as a source to get log data. i'm new to denial of service attack and i would want to clarify. First Question : Is Denial of Service considered an Intrusion? If Yes, Second Question : so if Denial of Service is a form of intrusion, that means i have to use TCPDUMP to get log data since it is a intrusion detection system and not wireshark cos wireshark is not exactly an intrusion detection system? Is that right? If Yes, Third Question : The log data that i would like to create would come from the packet data gotten from the intrusion detection system. Am i right to say that these log data in Splunk should contain fields based on the Common Information Model such as signature,dvc,category,severity,src,dest,user,vendor,product,ids_type under the Intrusion Detection category? Is that right? so all these information i can get from the data that comes from the intrusion detection system right? ... View more

I would like to create log messages that would be used for log analysis using Splunk such as checking for occurence of Denial of Service attacks. What would be the best logging practices for that as in what are the most important information that i should be displaying in the log messages??? ... View more

Based on the question asked on http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file Jerrad showed a sample log output. So the log output is shown in Splunk search app whenever you search for this sample log data? So how did Jerrad manage to output the sample log : Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00 from the wireshark pcap txt file? as in GETTING LOGS OUT from the wireshark capture file in txt file? Does anyone have any idea?? So just to ask. That means,To get the logs form wireshark pcap txt file, set the capture settings in the first place and what you choose to save,create field extractions in props.conf and transforms.conf ?? is it?? Is that the way do do it? Overall i would like to know the whole process of doing this cos i still don't understand the answers given for the question : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file ... View more

Lets say i have already converted a wireshark pcap file to a windows text file, so do i need to "format" the data from the wireshark txt file to log data if i want to monitor the wireshark text data using Splunk??? I went to the Splunk manager > data inputs > Add data > Files and Directories > Data Preview > Add New. Under Add new section i selected "Continuously index data from a file or directory this Splunk instance can access" then i entered the path of the wireshark windows txt file and i saved the settings. After that i went to the Splunk's search app to view the logs. The logs appeared too strange for me : 2:36:17.000 PM Frame 1: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options 2 » 2/2/10 10:40:36.412 PM Arrival Time: Feb 2, 2010 22:40:36.412684000 Malay Peninsula Standard Time host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options 3 » 2/2/10 10:40:36.412 PM Arrival Time: Feb 2, 2010 22:40:36.412682000 Malay Peninsula Standard Time host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options 4 » 2/2/10 10:40:36.412 PM Arrival Time: Feb 2, 2010 22:40:36.412681000 Malay Peninsula Standard Time host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options Then some look like this : 41 » 2/2/10 10:40:36.411 PM Arrival Time: Feb 2, 2010 22:40:36.411832000 Malay Peninsula Standard Time host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options 42 » 2/2/10 10:40:36.000 PM Epoch Time: 1265121636.412684000 seconds [Time delta from previous captured frame: 0.000002000 seconds] [Time delta from previous displayed frame: 0.000002000 seconds] [Time since reference or first frame: 0.000852000 seconds] Frame Number: 40 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] Show all 66 lines host=TokJunXin-PC Options| sourcetype=logcapture Options| source=C:UsersTok Jun XinDesktoplogcapture.txt Options 43 » 2/2/10 10:40:36.000 PM Epoch Time: 1265121636.412682000 seconds [Time delta from previous captured frame: 0.000001000 seconds] [Time delta from previous displayed frame: 0.000001000 seconds] [Time since reference or first frame: 0.000850000 seconds] Frame Number: 39 Frame Length: 54 bytes (432 bits) Capture Length: 54 bytes (432 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp] Show all 67 lines Every raw data for each log event shown for the wireshark txt file source doesn't seem right to me. I would like to know if there is any way to display the wireshark capture data in the windows txt file as log events correctly as in getting logs out of Wireshark pcap files???? ... View more