Machines with Multiple Services

index=firewalltraffic | stats count by src_ip dst_ip dst_port protocol | stats dc(dst_port) as "Different Ports" by dst_ip

purpose:

Detect machines offering multiple services

requirements:

Firewall Traffic and extracted source/destination IP + SRC_Port/DST_Port

comments:

  • Search Firewall Logs index=
  • Make sure fields are extracted fine – you can even let this run in realtime – looks cool: stats count by src_ip dst_ip dst_port protocol
    • You might also use this one to trigger down to say – i can filter only on FTP Traffic (Port 21), SSH Traffic, Web, SMTP, Filter to show what active directory domain controllers are doing by SRC/DST IP etc.
  • Now we only want to see which IP's offering services on how many different ports: | stats dc(dst_port) as "Different Ports" by dst_ip
  • You can also switch by dst_ip with src_ip so you see which host is consuming the most different services
  • You can also filter it down with a additional | where "Different Ports" > 5