detecting port scanning using SPL splunk rule
Question
I'm new to the splunk language, and I'm trying to detect the scan of more than 100 specific ports (20, 21, 23, 80, 443) from a source ip address to a destination ip address it did not give me any results although I am sure that there are results that correspond to this search.
I created the rule bellow:
index.network
| stats dc(destination_port) as number_destination_port by source_ip destination_ip
| where (number_destination_port>100 AND destination_port IN (20, 21, 23, 80, 443))
I know that the problem come from the second condition of the where clause Can you please give me advices on how to correct this alert and even refine it?
this is what I'm looking to detect: Port scanning detection
1 answers
solution1
0 2022-12-29 17:52:28
The second clause of the where command uses the IN operator, which is only available to the search and tstats commands. Use the in() function, instead.
index=network
| stats dc(destination_port) as number_destination_port by source_ip destination_ip
| where (number_destination_port>100 AND in(destination_port, 20, 21, 23, 80, 443))
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.