legal contact
 

IDS (snort)

Alert timeline by reason

sourcetype="snort" action=alert   reason=* | search reason!="SERVER-OTHER SSL*" | fillnull value=unknown src_dns,src_owner,dest_owner,dest_dns | timechart limit=50 count(dstip) by reason

Snort alerts by source

sourcetype="snort" action=alert   reason=* | search reason!="SERVER-OTHER SSL*" | fillnull value=unknown src_dns,src_owner,dest_owner,dest_dns | eval srcasset=srcip." / ".src_dns." / ".src_owner | eval dstasset=dstip." / ".dest_dns ." / ".dest_owner|  stats values(reason) by host_dns, srcasset, dstasset

Snort alerts by  destination and priority

sourcetype="snort" action=alert reason=* | search reason!="SERVER-OTHER SSL*" | fillnull value=unknown src_dns,src_owner,dest_owner,dest_dns | eval dst_asset=dstip."/".dest_dns | stats values(reason) by dst_asset, priority

active *external* IDS alerts

sourcetype=snort srcip=* NOT (srcip=10.0.0.0/8 AND dstip=10.0.0.0/8)) | `ids_enhance`| search NOT (at_action=Accept OR at_action=Mitigated) | fillnull value="N.A." | stats values(at_filter2) AS filter by reason adjusted_priority at_reputation host srcip dstip dstport sid cve at_action  ids_comment | sort - adjusted_priority

snort sensor's reporting *external* IDS alerts (used as geo map display)

sourcetype=snort sub=ips | search  NOT (srcip="N.A." OR (srcip=10.0.0.0/8 AND dstip=10.0.0.0/8)) |  `ids_enhance`| search NOT (at_action=Accept OR at_action=Mitigated) | fillnull value="N.A."  | rename srcip AS host | `al` |  rename host_long AS lon | rename host_lat AS lat | iplocation host AS src_ip| geostats latfield=lat longfield=lon count by host

active *internal* IDS alerts

sourcetype=snort (srcip=10.0.0.0/8 AND dstip=10.0.0.0/8) | `ids_enhance`| search NOT (at_action=Accept OR at_action=Mitigated) | fillnull value="N.A." | stats values(at_filter2) AS filter by reason adjusted_priority at_reputation host srcip dstip dstport sid cve at_action  ids_comment  | sort - adjusted_priority

UTM reporting *internal* IDS alerts (used as geo map display)

sourcetype=snort   (srcip=10.0.0.0/8 AND dstip=10.0.0.0/8) | `ids_enhance`| search NOT (at_action=Accept OR at_action=Mitigated) | rename host_long AS lon | rename host_lat AS lat | iplocation host AS src_ip | geostats latfield=lat longfield=lon count by host

Anomaly detection of IDS data

sourcetype=snort srcip=* | fillnull sid value="N.A." | timechart span=15m count(dstip) as distinct_count | predict distinct_count | rename upper95(prediction(distinct_count)) as ceiling | rename lower95(prediction(distinct_count)) as floor | eval excession=if(distinct_count > ceiling, "100", "0") | eval recession=if(distinct_count < floor, "-100", "0")

FW drops/rejects 

sourcetype=whatever sub=packetfilter | rename srcip AS host  | rename host AS srcip | rename dstip AS ip | `ip_reputation` | rename ip AS dstip | rename at_reputation AS dst_reputation | fillnull value="N.A." | stats count values(dstip) as DST by srcip srcport dstport host_city action dst_reputation | sort + at_reputation - count

Geographical FW drops

sourcetype=whatever sub=packetfilter |rename srcip AS host | `ip_reputation`| search NOT at_action=Accept | rename host_long AS lon | rename host_lat AS lat | iplocation host AS src_ip| geostats latfield=lat longfield=lon count by host

Sensor's that stopped sending IDS data

sourcetype=snort | eval right_now = now() | eval time_diff = right_now - _time | eval hours = round(time_diff/3600) | where hours >= 24 | eval alert = "Hours since logs last seen - " .hours  | dedup host | `al`| table host_nt_host alert hours| sort -hours

activated sensors not sending data the last 7 days

sourcetype=snort | fillnull value=Unknown | stats latest(_time) AS _time by host | where _time<(now()-604800) |dedup host | `al`| regex host_nt_host="sensor-hostname-1|sensor-hostname-2|sensor-hostname-3|sensor-hostname-4" | table host_nt_host

Suspicious web traffic

sourcetype=squid srcip=* dstip=* NOT action=block|`ip_reputation`| regex at_reputation!="unverified|trusted|neutral" | fillnull value="N.A." | stats count by at_reputation action srcip ua url categoryname