Configure Interesting Ports list
Interesting Ports contains a list of TCP and UDP ports that are required, prohibited, or insecure in your deployment. The PCI DSS requires that network ports on servers in the PCI domain be tracked. Solutions administrators should set a policy defining the allowed and disallowed ports.
- Review the "Interesting Ports" list.
- Edit the list, changing the fields and adding new entries based on the policy definition.
- Enable the correlation search that will trigger an alert.
Interesting Ports list lookup fields
1. Go to Configure > General > Lists and Lookups.
2. Choose the "Interesting Ports" list. In the Lookup editor, the lookup file
interesting_ports.csv appears. The first line in the file is the header that describes the fields in the file.
|app||The application or service name.||Win32Time|
|dest||The destination host for the network service. Accepts a wildcard.||DARTH*, 10.10.1.100, my_host, etc. Using just a wildcard |
|dest_pci_domain||The PCI Domain. Accepts a wildcard.||trust, untrust, etc.|
|dest_port||The destination port number. Accepts a wildcard.||443, 3389, 5900, etc.|
|transport||The transport protocol. Accepts a wildcard.||tcp or udp|
|is_required||Is the service required to be running? Alert if not present.||true or false|
|is_prohibited||Is the service/traffic/port prohibited from running? Alert if present.||true or false|
|is_secure||Is the service traffic encrypted?||true or false|
|note||A brief description of the service and use-case.||Unencrypted telnet services are insecure.|
3. Add to or modify this list using the editor. Click Save when you are done.
- There is no file checking for this editor. A typo might break the lookup file and generate a lookup error.
- Use a search to review the user and time the lookup file was edited. Example:
index=_internal edit uri_path="/en-US/app/SplunkPCIComplianceSuite/pci_lookups_edit"
- A lookup will not accept regular expressions.
Update the Interesting Ports list to allow an open connection on the loopback port for the mail server, but alert if email is received on any trusted server:
mail,127.0.0.1,*,25,tcp,false,false,false, Any host can communicate with itself on TCP port 25 in all domains. Please don't bug me if it does.
mail,*,trust,25,tcp,false,true,false, Alert me if any host in the Trust domain is open on TCP port 25.
Configure Interesting Processes list
Add a custom report
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1