I want to create alert for same Source-ip and same destination-ip but different port

Elastic Stack Elasticsearch
1

Hello,
My question is Trigger alert when Sourc-ip and Destination-ip is same but different destination port trigger alert

and I am facing problem here is my configuration.

PUT _xpack/watcher/watch/vertical-port-scan
{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [
          "firewall-vertical-port-scan"
        ],
        "body" : {
          "query" : {
            "bool" : {
              "must": [
                {
           "terms": {
        "field": "dstPort.keyword"
                  },
                  "bool": {
      "must": [
        {
          "match_phrase": {
            "srcIp.keyword": {
              "query": "20.36.219.28"
            }
          }
        },
        {
          "match_phrase": {
            "dstIp.keyword": {
              "query": "10.18.13.85"
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1562856683309,
              "lte": 1570632683309,
              "format": "epoch_millis"
            }
          }
        }
        ],
      "filter": [
        {
          "match_all": {}
        },
        {
          "match_all": {}
        }
      ],
      "should": [],
      "must_not": []
    }
                },
                {
        }
              ]
              }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "throttle_period": "15m",
  "actions" : {
    "email_admin" : {
      "email" : {
        "to" : ["abcd@xyz.com"],
        "subject" : "abcd",
        "body": {
      "text": "TimeStamp:{{#ctx.payload.hits.hits}} {{_source.@timestamp}} {{/ctx.payload.hits.hits}}"

    }
      }
    }
  }
}

But is is giving error
kindly help.

2

please take your time to properly write up the issue you are having. Just pasting a watch is not enough. Explain your use-case, what problem you are trying to solve, why you picked a certain query, and also what expectations you have, that are not satisfied with your query. Also include sample documents that should match (and also not match) your query, so other people reading this have the chance to understand what you are after.

Thanks!

3

Hi,
My use case is.
I am having a log file of Firewall. In this I have a log like this:

Aug 22 2019 13:17:05: %ASA-6-106100: access-list CheckPoint_access_in denied tcp CheckPoint/20.36.219.28(443) -> Intranet-DMZ/10.18.13.85(55460) hit-cnt 1 first hit [0x14fc4bcc, 0x00000000]

This is my parser:

%{SYSLOGTIMESTAMP:timeStamp}: %{DATA:data}: %{DATA:msg}/%{IP:srcIp}(%{NUMBER:srcPort}) -> Intranet-DMZ/%{IP:dstIp}(%{NUMBER:dstPort})%{GREEDYDATA:remain}

From this I have to extract these field source-ip, Destination Ip and destination port.
according to my use case I have to trigger an alert when the source ip and destination ip is same but they have different port trigger alert.

Kindly help.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.