Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Blocked traffic from unknown source

This page is currently a work in progress. Any information presented here might be incomplete or incorrect, and frequent near-term updates are expected.

Traffic tagged as "blocked" that comes from an unknown source is often malicious. This can be strange traffic with both "allowed" and "blocked" in the same event caused by problems with router ACLs (access control lists) or firewall setting inconsistencies.

To find this traffic, in the Traffic Center dashboard, find the Top Traffic panel. Select "by Transport Protocol" from the drop-down menu. In the "Unknown" bar, click "blocked". The table below the chart shows details for the blocked traffic using an unknown protocol.

Notice that a number of the events are coming from the same IP address. Click "View full results"; the Search panel displays details of the events. Adjust the number of items per page so that you can view all, or as many of the events as possible.

Sort the columns by src and dest to determine if more than one source is contacting multiple destinations. When you find a suspicious IP address, click on the IP address to learn more about it.

In the Search dashboard...

  • Find systems that have been contacted by this address
  • Assign analyst to check those systems, perhaps have the admin put this IP address on the firewall blocklist.
Last modified on 12 July, 2013
Brute force attacks   Malware on systems with outdated anti-virus software

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters