Networking Archives -

Reflected DDoS Attack

(in reflected attacks a lotof external benign src’s send a lotof packets toward our servers, because our server’s IP spoofed before in request packets and were sent by attacker toward trusted servers and those trusted servers replied us instead of attacker ! )

index=firewall dest=(your company IP range, for example: 184.192.0.0/16)
(transport="udp" AND src_port IN(123,1900,0,53,5353,27015,19,20800,161,389,111,137,27005,520,6881,751,11211,1434,27960,17) AND src_port!=dest_port) OR ( (transport="tcp") AND src_port=80 AND dest_port!=80))
|bin _time span=5m
|fields src_port,dest,src
|stats count,dc(src) as src_count , dc(dest) as dest_count by src_port,_time
|eval First_Factor=src_count/dest_count (in reflected attacks this ratio is to high!)
|eval Final_Factor=First_Factor+count (the count of replies is another important factor )
|search Final_Factor>1200
|eval msg="Reflected DDoS Attack has been detected. "."count:".count." from ".src_count. " distict sources with same src_port:".src_port." on ". dest_count. " servers"
|fields msg

index=firewall dest=(your company IP range, for example: 184.192.0.0/16)

(transport="udp" AND src_port IN(123,1900,0,53,5353,27015,19,20800,161,389,111,137,27005,520,6881,751,11211,1434,27960,17) AND src_port!=dest_port) OR ( (transport="tcp") AND src_port=80 AND dest_port!=80))

|bin _time span=5m

|fields src_port,dest,src

|stats count,dc(src) as src_count , dc(dest) as dest_count by src_port,_time

|eval First_Factor=src_count/dest_count (in reflected attacks this ratio is to high!)

|eval Final_Factor=First_Factor+count (the count of replies is another important factor )

|search Final_Factor>1200

|eval msg="Reflected DDoS Attack has been detected. "."count:".count." from ".src_count. " distict sources with same src_port:".src_port." on ". dest_count. " servers"

|fields msg

Continue Reading →

1st time connection between servers (FTD CISCO)

Description: This query helps you to see all new connections between servers. Still work in progress and can be extended further. “White-listing” happens through the lookup files. Query:

index=nfw "Allow"
| rex (?:SrcIP.*\b(?<SrcIP>\d+\.\d+\.\d+\.\d+).*DstIP.*\b(?<DstIP>\d+\.\d+\.\d+\.\d+))
| stats count min(_time) AS earliest max(_time) AS maxtime BY SrcIP, DstIP
| where earliest>relative_time(now(), "-1d@d") AND count<=1
| search DstIP=10.0.0.0/8 AND NOT 
[| inputlookup networkdestip.csv 
| fields DstIP] 
| search SrcIP=10.0.0.0/8 AND NOT 
[| inputlookup networksrcip.csv
| fields SrcIP]
| fields SrcIP, DstIP

index=nfw "Allow"

| rex (?:SrcIP.*\b(?<SrcIP>\d+\.\d+\.\d+\.\d+).*DstIP.*\b(?<DstIP>\d+\.\d+\.\d+\.\d+))

| stats count min(_time) AS earliest max(_time) AS maxtime BY SrcIP, DstIP

| where earliest>relative_time(now(), "-1d@d") AND count<=1

| search DstIP=10.0.0.0/8 AND NOT

[| inputlookup networkdestip.csv

| fields DstIP]

| search SrcIP=10.0.0.0/8 AND NOT

[| inputlookup networksrcip.csv

| fields SrcIP]

| fields SrcIP, DstIP

Continue Reading →

Netflow Activity dashboard showing MB’s in to dest_ip

Description: Dashboard that helps me understand activity in my home lab looking at netflow data from my OPNsense firewall. This dashboard starts with a simple timechart that gives me a trend of average mb_in across all of my devices. I have OPNsense configured to send netflow data v9 to a Splunk independent stream forward which […]

Continue Reading →

F5 SL ASM iRule Parser for Hosted Deployments

sourcetype=f5:silverline:asm irule=* vs_ip=*
| rex "(?<log>.*)"
| eval log_stripped = replace(log, "\\\\","")
| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="
| spath input=data_section

sourcetype=f5:silverline:asm irule=* vs_ip=*

| rex "(?<log>.*)"

| eval log_stripped = replace(log, "\\\\","")

| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="

| spath input=data_section

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

index=<your cisco index> "<your IP>"
|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" 
|rex field=_raw "(?<IP><IP regex>)" 
|iplocation IP
|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type
|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)
|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

index=<your cisco index> "<your IP>"

|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)"

|rex field=_raw "(?<IP><IP regex>)"

|iplocation IP

|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type

|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)

|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

Continue Reading →

Investigate an IP through Palo Alto Logs

index=
<strong><your palo alto index> <IP you want to investigate></strong>
|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"
|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

index=

|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"

|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"

| iplocation src

| search Country=*

| table Country, src, action, bytes_out, packets_out

| dedup src

| sort Country

Continue Reading →

Blocked Firewall Scanning Activity with indicator if Source has been allowed.

This search is still a work in progress, but thought I would go ahead and post it. Currently use OPNsense firewall in my house. The purpose of the search is to identify blocked scanning activity on my firewall that does a 2nd search via a join to add if any src_ip that had been blocked […]

Continue Reading →

Sourcetype: Networking