Hello splunkfans,
i'm kind of running out of ideas and this is my first contact to streamstats. 😕
I am working on a statistic of botnet portscans on my firewalllogs. The goal is based on the firewallevents on a specific interface and direction, to show how many different public IPs have scanned how many dest_ports, events=attacks, and in what timerange.
The break where i assume it is a botnet portscan is when i get over 150 events in a 2 min flow.
Here is my search:
index="security" interface=igb0 direction=in | streamstats time_window=2min count(_raw) as "attacks" distinct_count(source_ip) as "attackers", distinct_count(destination_port) as "attacked ports" | search attacks>150
What i am looking at due to my search is a nice timeline over the last 3 days with 3 peaks that represent the time_window=2min of my streamstats.
My goal is just to get a table of these peaks and the timerange they occured.
Like this: table attacks, attackers, "attacked ports", //"timerange first and last event"//
Problem i have is that this table without time (as i have no solution for that), shows me all streamstats events like this:
attacks attackers attacked ports
151 34 9
152 34 9
153 34 9
154 34 10
155 34 10
156 34 10
157 34 10
Searchresult of just the streamstats is of cause the events themselfs that are relevant in the time_window.
How can i get just the peaks of this and the timerange between the first and last event of these?
I tried so many combos with max() and top, but as i dont know how many peaks will occure, i cant regulate the top.
A timechart seams to be a dirty solution with a span=2min but a portscan can happen between 00:01:45 and 00:02:15 and would be split in half and not recognised.
Anyone can guide me in the right direction on how to get the tops of this stream? 🙂
... View more