Blocked Firewall Scanning Activity with indicator if Source has been allowed.

This search is still a work in progress, but thought I would go ahead and post it.  Currently use OPNsense firewall in my house.  The purpose of the search is to identify blocked scanning activity on my firewall that does a 2nd search via a join to add if any src_ip that had been blocked was actually allowed through my firewall.  You will need to adjust the 2 base searches to match your environment. If you find a better way, please share to improve this search.

Change index=* to match your index name.

index=* sourcetype="opnsense:filterlog" action=block src_ip!= | iplocation src_ip
| fillnull value=null Country | stats count by src_ip dest_port Country | eval dest_port_bar="".count." attempts on port "+dest_port | stats list(dest_port_bar) as "Ports" dc(dest_port) as "Number of Ports scanned" sum(count) as Total by src_ip Country | sort - "Number of Ports scanned"| join src_ip type=left
   [| search index=opnsense sourcetype="opnsense:filterlog" action=pass src_ip!= | eval Allowed_Traffic=if(in(action, "pass"),"Yes","No")
| table Allowed_Traffic src_ip] 
| fillnull value=No Allowed_Traffic
Share This:

Leave A Comment?