Skip to main content
 
Splunk Lantern

Percentage of total bytes out from a source to a single destination

 

You want to create an accurate picture of outbound traffic from your overall network to different destination IP address so that you can monitor for anomalous behavior. 

Data required 

Firewall data

Procedure

This sample search uses Fortinet FortiGate data. You can replace this source with any other firewall data used in your organization.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=fgt_traffic src=<IP address sending the request> NOT (dest=<Internal IP address> OR dest=<DNS>)
| eventstats sum(bytes_out) AS total_bytes_out BY src
| eval percent_bytes_out = bytes_out/total_bytes_out * 100
| table src dest bytes_in bytes_out total_bytes_out percent_bytes_out
| where percent_bytes_out > 60
| sort - percent_bytes_out dest

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=fgt_traffic 

Search only Fortinet FortiGate network traffic data.

src=<IP address sending the request> 

Search data coming from this IP address.

If you want to search all IP addresses in a netblock, use a wildcard search. For example, src=192.168.255.0/24

NOT (dest=<Internal IP address> OR dest=<DNS>)

Exclude internal and DNS destination IP addresses.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest=”192.0.2.0” OR dest_ip=”192.0.2.0”)

Example:
(dest=”192.0.2.0” OR dest=”example.com”)

| eventstats sum(bytes_out) AS total_bytes_out BYsrc

Calculate the total volume of bytes_out to any destination for each source and display in a total_bytes_out column.

| eval percent_bytes_out = bytes_out/total_bytes_out * 100

For each source-destination pair, calculate the bytes_out as a percentage of the overall bytes_out for the source IP address.

| table src dest bytes_in bytes_out total_bytes_out percent_bytes_out

Display the results in a table with columns in the order shown.

| where percent_bytes_out > 60

Display only results where the percentage of traffic of outbound traffic to a single IP address is greater than 60 percent of the total traffic for the source IP address. 

| sort - percent_bytes_out dest

Sort the results by the largest percent_bytes_out values per destination IP address.

Next steps

The results show the destination IP addresses that receive the most traffic and what source IPs that traffic comes from. Visibility into how many of your source IP addresses communicate with the same destination IP addresses can help you establish whitelists. You can also use this information to create network traffic baselines and thresholds to trigger security alerts. 

You might also be interested in other processes associated with the Monitoring for network traffic outliers use case.