I'm new to the splunk language, and I'm trying to detect the scan of more than 100 specific ports (20, 21, 23, 80, 443) from a source ip address to a destination ip address it did not give me any results although I am sure that there are results that correspond to this search.
I created the rule bellow :
index=network
| stats dc(destination_port) as number_destination_port by source_ip destination_ip
| where (number_destination_port>100 AND destination_port IN (20, 21, 23, 80, 443))
I know that the problem come from the second condition of the where clause Can you please give me advices on how to correct this alert and even refine it ?
this is what I'm looking to detect :Port scanning detection
The second clause of the where
command uses the IN
operator, which is only available to the search
and tstats
commands. Use the in()
function, instead.
index=network
| stats dc(destination_port) as number_destination_port by source_ip destination_ip
| where (number_destination_port>100 AND in(destination_port, 20, 21, 23, 80, 443))