Blocked traffic from unknown source
This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected. |
Traffic tagged as "blocked" that comes from an unknown source is often malicious. This can be strange traffic with both "allowed" and "blocked" in the same event caused by problems with router ACLs (access control lists) or firewall setting inconsistencies.
To find this traffic, in the Traffic Center dashboard, find the Top Traffic panel. Select "by Transport Protocol" from the drop-down menu. In the "Unknown" bar, click "blocked". The table below the chart shows details for the blocked traffic using an unknown protocol.
Notice that a number of the events are coming from the same IP address. Click "View full results"; the Search panel displays details of the events. Adjust the number of items per page so that you can view all, or as many of the events as possible.
Sort the columns by src
and dest
to determine if more than one source is contacting multiple destinations. When you find a suspicious IP address, click on the IP address to learn more about it.
In the Search dashboard...
- Find systems that have been contacted by this address
- Assign analyst to check those systems, perhaps have the admin put this IP address on the firewall blocklist.
Brute force attacks | Malware on systems with outdated anti-virus software |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1
Feedback submitted, thanks!