All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where can I find more information about how to use the interesting ports lookup table?

Mitchellsch
Explorer
‎12-30-2015 10:54 AM

I've been reading this link here http://docs.splunk.com/Documentation/PCI/2.1.1/Install/Configureinterestingports and I need more information on how I can create a search using a network datamodel. I want to be able to create a search that uses this lookup table to show all the drops or blocks from certain IPs. I know that I can edit the lookup table that splunk has to add what I need but I need more information than this link provides. Any help would be great. Thanks.

Reply

jkat54
SplunkTrust
SplunkTrust
‎12-30-2015 11:43 AM

If you're just adding the "interesting ports" you want to the lookup table it should be as simple as opening the csv and filling in the blanks. putting data into the correct comma separated value will be important too.

The example doesnt show the csv headers, but I assume these are them:
app,dest,dest_pci_domain,dest_port,transport,is_required,is_prohibited,is_secure,note

So that this line in the csv:
mail,127.0.0.1,*,25,tcp,false,false,false, Any host can communicate with itself on TCP port 25 in all domains. Please don't bug me if it does.

would create these KvPs:
app = mail
dest = 127.0.0.1
dest_pci_domain = *
dest_port = 25
transport = tcp
is_required = false
is_prohibited = false
is_secure = false
note = Any host can communicate with itself on TCP port 25 in all domains. Please don't bug me if it does.

And this lookup table isnt going to give you any details about blocked/dropped packets. As the link says Interesting Ports contains a list of TCP and UDP ports that are required, prohibited, or insecure in your deployment. The PCI DSS requires that network ports on servers in the PCI domain be tracked. Solutions administrators should set a policy defining the allowed and disallowed ports. It doesnt contain a list of dropped/blocked connections to be used within a data model.

0 Karma
Reply

Mitchellsch
Explorer
‎12-30-2015 03:56 PM

I appreciate the help on this. I know it doesn't have a list of the dropped ports in the header. I was hoping to find a way use this lookup table in searching for blocked or dropped ones. How do I use this information from this table to do this?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-30-2015 04:29 PM

why wouldnt you just index=foo action=blocked OR action=dropped or something similar? You should have an index with your firewall data, another with your ids/ips data, maybe another with switch data, and another for cisco asa or palo alto etc... Those indexes will contain events that have what you're looking for, not the lookup tables.

So give me an example of an event in whatever index has "dropped / blocked" events, and I'll write a search for you that you can use in a data model or wherever.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...