We are getting close, thanks for the replies!
I tried this like niketnilay answered with modifications. It is very close, just have to get rid of the overlaps, see below.
index="security" interface=igb0 direction=in
| streamstats time_window=2min count as "attacks" dc(source_ip) as "attackers", dc(destination_port) as "attacked ports" first(_time) as FirstTime last(_time) as LastTime
| search attacks>150
| eval FirstTime=strftime(FirstTime,"%c")
| eval LastTime=strftime(LastTime,"%c")
| table attacks attackers "attacked ports" FirstTime LastTime
| sort -attacks
| dedup FirstTime
Got me this:
attacks attackers attacked ports FirstTime LastTime
902 90 106 Tue Jan 3 16:34:06 2017 Tue Jan 3 16:32:12 2017
693 69 81 Tue Jan 3 00:15:08 2017 Tue Jan 3 00:13:19 2017
691 68 79 Tue Jan 3 00:14:26 2017 Tue Jan 3 00:12:30 2017
565 91 22 Tue Jan 3 16:34:31 2017 Tue Jan 3 16:32:34 2017
426 70 14 Tue Jan 3 00:15:41 2017 Tue Jan 3 00:13:42 2017
371 70 13 Tue Jan 3 00:15:46 2017 Tue Jan 3 00:13:47 2017
339 34 44 Wed Jan 4 23:23:57 2017 Wed Jan 4 23:22:16 2017
264 33 41 Wed Jan 4 23:23:03 2017 Wed Jan 4 23:21:04 2017
262 91 19 Tue Jan 3 16:34:54 2017 Tue Jan 3 16:32:55 2017
248 34 41 Wed Jan 4 23:22:59 2017 Wed Jan 4 23:21:01 2017
239 35 12 Wed Jan 4 23:24:32 2017 Wed Jan 4 23:22:33 2017
202 35 41 Wed Jan 4 23:22:50 2017 Wed Jan 4 23:20:51 2017
Yes DalJeanis i'm just looking for the peaks, but a timechart isn't accurate if the attack is cut into two time spans. Am i wrong?
I'm wondering why these dont have the same firsttime... There are overlaps in the timeranges. This is due to the search attacks>150 after the streamline.
Any chance to get this into the stream as a condition?
... View more
