Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Blocked traffic from unknown source

This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected.

Traffic tagged as "blocked" that comes from an unknown source is often malicious. This can be strange traffic with both "allowed" and "blocked" in the same event caused by problems with router ACLs (access control lists) or firewall setting inconsistencies.

To find this traffic, in the Traffic Center dashboard, find the Top Traffic panel. Select "by Transport Protocol" from the drop-down menu. In the "Unknown" bar, click "blocked". The table below the chart shows details for the blocked traffic using an unknown protocol.

Notice that a number of the events are coming from the same IP address. Click "View full results"; the Search panel displays details of the events. Adjust the number of items per page so that you can view all, or as many of the events as possible.

Sort the columns by src and dest to determine if more than one source is contacting multiple destinations. When you find a suspicious IP address, click on the IP address to learn more about it.

In the Search dashboard...

  • Find systems that have been contacted by this address
  • Assign analyst to check those systems, perhaps have the admin put this IP address on the firewall blocklist.
Last modified on 12 July, 2013
PREVIOUS
Brute force attacks
  NEXT
Malware on systems with outdated anti-virus software

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters