Develop a worm tracker

Follow

Michael Johnson

• November 12, 2019 16:53

I'm looking to build a worm tracker by querying firewall logs.  For every source IP that has a deny on port 445, count the number of destination IPs over a 15 minute period.  If the count is greater than 255 destination IPs then display the source IP and count.

0

• 

  Rick Jury

  • November 21, 2019 20:46

  hi a  good operator for this type of correlation is our subquery operator.

  https://help.sumologic.com/01Start-Here/Quick-Start-Tutorials/Hands-on_Labs02%3A_Security_Analytics/14Lab_14_-_Correlation_using_Subqueries

  something similar to this logic:

   

  parent query 

  [ subquery: every source IP that has a deny on port 445

  | count by source ip | compose sourceip]

   

  | sum .. by source_ip // count the number of destination IPs over a 15 minute period
  | where count > 255
  
  | count by source_ip,count

  0

  Comment actions Permalink

Please sign in to leave a comment.