Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ChocolateRocket
ChocolateRocket
Explorer
Member since:
02-04-2024
03-13-2024
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 02-04-2024 |
Activity Feed
- Posted Re: Geostats Cluster Map Help on Splunk Search. 03-12-2024 08:54 AM
- Posted Re: Geostats Cluster Map Help on Splunk Search. 03-09-2024 06:43 AM
- Posted Re: Geostats Cluster Map Help on Splunk Search. 03-09-2024 06:21 AM
- Karma Re: Geostats Cluster Map Help for marnall. 03-09-2024 06:19 AM
- Karma Re: Geostats Cluster Map Help for Richfez. 03-09-2024 06:19 AM
- Karma Re: Geostats Cluster Map Help for Richfez. 03-09-2024 06:18 AM
- Posted Geostats Cluster Map Help on Splunk Search. 03-08-2024 09:36 AM
- Posted Re: ASUS Router Query Super Thread on Splunk Search. 03-08-2024 06:10 AM
- Karma Re: ASUS Router Query Super Thread for batabay. 03-08-2024 06:10 AM
- Karma Re: ASUS Router Query Super Thread for PickleRick. 03-08-2024 06:09 AM
- Posted Re: ASUS Router Query Super Thread on Splunk Search. 03-08-2024 06:08 AM
- Posted Re: How to resolve crash events in windows application log for App: splunk-winevtlog.exe (eventcode = 1000)? on Splunk Enterprise. 03-07-2024 08:05 AM
- Posted Re: ASUS Router Query Super Thread on Splunk Search. 03-02-2024 09:17 AM
- Posted Re: ASUS Router Query Super Thread on Splunk Search. 02-16-2024 09:02 AM
- Posted Re: ASUS Router Query Super Thread on Splunk Search. 02-13-2024 02:04 PM
- Posted Re: Receiving error: Could not load lookup=LOOKUP-splunk_security_essentials on Splunk Search. 02-10-2024 10:04 AM
- Posted Re: Could not load lookup=LOOKUP-splunk_security_essentials on Splunk Search. 02-10-2024 08:27 AM
- Posted Re: ASUS Router Query Super Thread on Splunk Search. 02-05-2024 07:04 AM
- Posted ASUS Router Query Super Thread on Splunk Search. 02-04-2024 11:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
03-12-2024
08:54 AM
If that is correct, then the planet earth and all humanity is in the wrong hands. 🙂
... View more
03-09-2024
06:43 AM
So, why is Lat/Long included as a data point? Even the tutorial I'm following has the same result, but surely there is a way to not show these since its sort of meaningless? (And don't call me Shirley!) 🙂
... View more
03-09-2024
06:21 AM
Good lord. that was too easy. Appreciate the help. I keep forgetting I'm in a 'Nix world now. Thank goodness PowerShell doesn't mind capitalization rule breakage. 😄
... View more
03-08-2024
09:36 AM
Any reason why this can't be visualized in a geo cluster map? source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 17.0.0.0/8) action=DROP src_ip!="162.159.192.9" | iplocation src_ip | geostats count by country
... View more
Labels
- Labels:
-
count
03-08-2024
06:10 AM
You were correct - I added linux_secure and now src_ip is happier than "src".
... View more
03-08-2024
06:08 AM
Got it working after adding src_ip field. Splunk is a long journey to learning basic stuff 🙂 source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) action=DROP
... View more
03-07-2024
08:05 AM
We're getting hammered by these. 20k in 24 hours. 🙂
... View more
03-02-2024
09:17 AM
Still having issues trying to exclude private IPs. This works for individual IPs: index="syslog" process="kernel" SRC!=192.168.1.160 SRC!=0.0.0.0 But still can't exclude blocks. How can I exclude with wildcard the 192.x.x.x.? Tried this - source="udp:514" index="syslog" sourcetype="syslog" where not like(src, "%192%") Nooby blues. Google is not my friend today.
... View more
02-13-2024
02:04 PM
Still trying to only get the Russian IPs. 🙂 Still pulls the private IPs. 🙂
... View more
02-10-2024
10:04 AM
i renamed and replaced the directory with fresh download. Error has gone away but wondering if I broke a Security app that may have altered the files. Splunk is so massively large that its daunting for Newbs. 🙂 Glad I seemed to have gotten rid of the error though.
... View more
02-10-2024
08:27 AM
New Windows install and getting this error. Wish there was a simple fix as its polluting our POC for a large purchase to get away from other product(s).
... View more
02-05-2024
07:04 AM
Thanks, that query is still returning private 192.168.x.x src IPs.
... View more
02-04-2024
11:38 AM
Since I cannot find much on querying ASUS router syslogs, and I am completely new to Splunk, I thought I'd start a thread for other Google Travelers in the far future. I installed Splunk ENT yesterday and I am successfully sending syslogs. In my first self-challenge, I'm trying to build a query with just dropped packets for external IP sources, but its not working. source="udp:514" index="syslog" sourcetype="syslog" | where !(cidrmatch("10.0.0.0/8", src) OR cidrmatch("192.168.0.0/16", src) OR cidrmatch("172.16.0.0/12", src)) The Raw data is below - I wanna filter out all 192 privates and just external addresses, like that darn external HP src IP (15.73.182.64). Feb 4 08:46:36 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43798 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D135F84C3294ECB) MARK=0x8000000 Feb 4 08:46:37 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43799 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D136188C3294ECB) MARK=0x8000000 Feb 4 08:46:38 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43800 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D136590C3294ECB) MARK=0x8000000 Feb 4 08:46:40 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=50 ID=43801 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D136DA0C3294ECB) MARK=0x8000000 Feb 4 08:46:44 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=43802 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D137DC0C3294ECB) MARK=0x8000000 Feb 4 08:46:52 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=43803 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D139E00C3294ECB) MARK=0x8000000 Feb 4 08:47:09 kernel: DROP IN=eth4 OUT= MAC=04:42:1a:51:a7:70:f8:5b:3b:3b:bd:e8:08:00 src=15.73.182.64 DST=192.168.1.224 LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=43804 DF PROTO=TCP SPT=5222 DPT=24639 SEQ=120455851 ACK=2704633958 WINDOW=23 RES=0x00 ACK PSH URGP=0 OPT (0101080A1D13DE80C3294ECB) MARK=0x8000000 Feb 4 08:47:17 kernel: DROP IN=eth4 OUT= MAC=ff:ff:ff:ff:ff:ff:28:11:a8:58:a6:ab:08:00 src=192.168.1.109 DST=192.168.1.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=41571 PROTO=UDP SPT=137 DPT=137 LEN=58 MARK=0x8000000 Next question - would anyone be able to write an app that takes the external IPs and does a lookup against the AbusePDB API or other blacklist APIs?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-13-2024
10:21 AM
|
