I'm new to the splunk language, and I'm trying to detect the scan of more than 100 specific ports (20, 21, 23, 80, 443) from a source ip address to a destination ip address it did not give me any results although I am sure that there are results that correspond to this search.
I created the rule bellow:
index.network
| stats dc(destination_port) as number_destination_port by source_ip destination_ip
| where (number_destination_port>100 AND destination_port IN (20, 21, 23, 80, 443))
I know that the problem come from the second condition of the where clause Can you please give me advices on how to correct this alert and even refine it?
this is what I'm looking to detect: Port scanning detection
The second clause of the where
command uses the IN
operator, which is only available to the search
and tstats
commands. Use the in()
function, instead.
index=network
| stats dc(destination_port) as number_destination_port by source_ip destination_ip
| where (number_destination_port>100 AND in(destination_port, 20, 21, 23, 80, 443))
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.