Skip to main content
 
Splunk Lantern

Number of connections between unique source-destination pairs

 

You need to determine what external IPs are commonly accessed by users on your network so you can create a whitelist.

Data required 

Firewall data

Procedure

This sample search uses Fortinet FortiGate data. You can replace this source with any other firewall data used in your organization.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=fgt_traffic src=<IP address sending the request> NOT (dest=<Internal IP address> OR dest=<DNS>)
| stats count BY src dest
| where count > 1
| sort – count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=fgt_traffic 

Search only Fortinet FortiGate network traffic data.

src=<IP address sending the request> 

Search data coming from this IP address.

If you want to search all IP addresses in a netblock, use a wildcard search. For example, src=192.168.255.0/24

NOT (dest=<Internal IP address> OR dest=<DNS>)

Exclude internal and DNS destination IP addresses.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest=”192.0.2.0” OR dest_ip=”192.0.2.0”)

Example:
(dest=”192.0.2.0” OR dest=”example.com”)

| stats count BY src dest

Count the number of connections between each source-destination pair.

| where count > 1

Exclude results that have a connection count of less than 1.

| sort – count

Sort the results by the source-destination pair with the highest number of connections first.

Next steps

You can take many logical steps to protect your network with the results of this type of search, including:

  • Using the results to establish whitelists. 
  • Examining the results for outliers and investigating external IP addresses that are accessed with an unusually high frequency. 
  • Setting an alert for when the number of source-destination connections exceeds a certain threshold. 

You might also be interested in other processes associated with the Monitoring for network traffic outliers use case.