SPLUNK Top Hits by Country Report

Getting a lot of foreign computers knocking on your door causing network latency?  This search will show the top countries of origin.  This can be useful in determining firewall rules, to know your enemy, and just for fun information.  To setup SPLUNK to run this search you will need to install the geoip package.  amMap or Google Maps are great plugins if you want a more graphical representation. 

Search:
index=<firewall logs> | lookup geoip clientip as src | top client_country

1.)    Choose your index if you have them split off.
2.)    GEOIP is a little backwards, clientip is the geoip lookup field and src is the source lookup field in the index.  You may have to modify this and make it SourceAddress or whatever your field is.
3.)    Top client_country can also be limited by adding limit=<n> in between top and client_country.  By default SPLUNK does a TOP 100.

I think we have some zombies on the network.  What if I want to see the top destinations?  
You can simply change the src to dst or DestinationAddress or whatever your destination field is.

I don’t really care if XXXXX Country hits my firewall.  How do I exclude a country from my search?
Add | where client_country!=”XXXX” | in the string.
Search:
index=<firewall logs> | lookup geoip clientip as src | where client_country!=”XXXX” |top client_country

I really only care about a certain port (i.e. port 80).
Add DestinationPort=”80”
Search:
index=<firewall logs> DestinationPort=”80” | lookup geoip clientip as src | top client_country

This search will give you a list of all the IPs and Countries.
Search:
index=<firewall logs> | lookup geoip clientip as src

This search will give you a list of all the IPs and Countries excluding yours.
Search:
index=<firewall logs> | lookup geoip clientip as src | where client_country!=”XXXX”

This search will only show IPs from a specific Country.  This can be useful if you notice a certain country banging on the door.
Search:
index=<firewall logs> | lookup geoip clientip as src | where client_country=”XXXX”

Great, so I have all this information, what do I do with it now?
Hit the view report link and it will spit out nice graphs and a list.  You can also export as csv or xml files which can be manipulated and imported into firewall.
 

Category: 
Share: 

GuardianMS
Guarding your IT Experience!