Hello all,
I have some IDS alerts "top src_ip,dest_ip" in which I want to see if the dest_ip is contacting the src_ip's. This would lead me to investigate the communications between the 2 IP's, else if the dest_ip is not communicating back, I would ignore and move on.
Top Src_IP (Internet) -> Top Dest_IP (Local) | HitCount
**1.2.3.4** -> 192.168.1.2 | 254
**4.3.2.1** -> 192.168.1.4 | 245
Lookup Table (Src_IP)
**1.2.3.4**
**4.3.2.1**
Search question: Is the Top Dest_IP's (Local) contacting back to Lookup Table Src_IP's (Internet):
Top Dest_IP (*aka new Src_IP*) -> Top Src_IP (* aka new Dest_IP*) | HitCount
192.168.1.2 -> **1.2.3.4** | 20
192.168.1.4 -> **4.3.2.1** | 30
I have been working with something like this: source="/var/log/alerts.log" dest_ip="192.168.*" [ search source="/var/log/alerts.log" dest_ip="192.168.*" | top src_ip,dest | table src_ip ] | top dest_ip,src_ip
I'm not getting any results -- I humbly assume it's my error -- I should be seeing some communication back.
Please double-check my design and thank you for all the help.
... View more