Networking Archives -

1st time connection between servers (FTD CISCO)

Description: This query helps you to see all new connections between servers. Still work in progress and can be extended further. “White-listing” happens through the lookup files. Query:

index=nfw "Allow"
| rex (?:SrcIP.*\b(?<SrcIP>\d+\.\d+\.\d+\.\d+).*DstIP.*\b(?<DstIP>\d+\.\d+\.\d+\.\d+))
| stats count min(_time) AS earliest max(_time) AS maxtime BY SrcIP, DstIP
| where earliest>relative_time(now(), "-1d@d") AND count<=1
| search DstIP=10.0.0.0/8 AND NOT 
[| inputlookup networkdestip.csv 
| fields DstIP] 
| search SrcIP=10.0.0.0/8 AND NOT 
[| inputlookup networksrcip.csv
| fields SrcIP]
| fields SrcIP, DstIP

index=nfw "Allow"

| rex (?:SrcIP.*\b(?<SrcIP>\d+\.\d+\.\d+\.\d+).*DstIP.*\b(?<DstIP>\d+\.\d+\.\d+\.\d+))

| stats count min(_time) AS earliest max(_time) AS maxtime BY SrcIP, DstIP

| where earliest>relative_time(now(), "-1d@d") AND count<=1

| search DstIP=10.0.0.0/8 AND NOT

[| inputlookup networkdestip.csv

| fields DstIP]

| search SrcIP=10.0.0.0/8 AND NOT

[| inputlookup networksrcip.csv

| fields SrcIP]

| fields SrcIP, DstIP

Continue Reading →

Netflow Activity dashboard showing MB’s in to dest_ip

Description: Dashboard that helps me understand activity in my home lab looking at netflow data from my OPNsense firewall. This dashboard starts with a simple timechart that gives me a trend of average mb_in across all of my devices. I have OPNsense configured to send netflow data v9 to a Splunk independent stream forward which […]

Continue Reading →

F5 SL ASM iRule Parser for Hosted Deployments

sourcetype=f5:silverline:asm irule=* vs_ip=*
| rex "(?<log>.*)"
| eval log_stripped = replace(log, "\\\\","")
| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="
| spath input=data_section

sourcetype=f5:silverline:asm irule=* vs_ip=*

| rex "(?<log>.*)"

| eval log_stripped = replace(log, "\\\\","")

| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="

| spath input=data_section

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

index=<your cisco index> "<your IP>"
|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" 
|rex field=_raw "(?<IP><IP regex>)" 
|iplocation IP
|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type
|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)
|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

index=<your cisco index> "<your IP>"

|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)"

|rex field=_raw "(?<IP><IP regex>)"

|iplocation IP

|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type

|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)

|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

Continue Reading →

Investigate an IP through Palo Alto Logs

index=
<strong><your palo alto index> <IP you want to investigate></strong>
|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"
|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

index=

|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"

|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"

| iplocation src

| search Country=*

| table Country, src, action, bytes_out, packets_out

| dedup src

| sort Country

Continue Reading →

Blocked Firewall Scanning Activity with indicator if Source has been allowed.

This search is still a work in progress, but thought I would go ahead and post it. Currently use OPNsense firewall in my house. The purpose of the search is to identify blocked scanning activity on my firewall that does a 2nd search via a join to add if any src_ip that had been blocked […]

Continue Reading →

Sourcetype: Networking