Configure Interesting Ports list
Interesting Ports contains a list of TCP and UDP ports that are required, prohibited, or insecure in your deployment. The PCI DSS requires that network ports on servers in the PCI domain be tracked. Solutions administrators should set a policy defining the allowed and disallowed ports.
- Review the "Interesting Ports" list.
- Edit the list, changing the fields and adding new entries based on the policy definition.
- Enable the correlation search that will trigger an alert.
Interesting Ports list lookup fields
- Select Configure > Content > Content Management.
- Choose the "Interesting Ports" list. In the Managed Lookup editor, the lookup file
interesting_ports.csvappears. The first line in the file is the header that describes the fields in the file.
|app||The application or service name.||Win32Time|
|dest||The destination host for the network service. Accepts a wildcard. Use only a wildcard to match all hosts.||DARTH*, 10.10.1.100, my_host, etc.|
|dest_pci_domain||The PCI domain. Accepts a wildcard.||trust, untrust, etc.|
|dest_port||The destination port number. Accepts a wildcard.||443, 3389, 5900, etc.|
|transport||The transport protocol. Accepts a wildcard.||tcp |
|is_required||Is the service required to be running? Alert if not present.||true |
|is_prohibited||Is the service/traffic/port prohibited from running? Alert if present.||true |
|is_secure||Is the service traffic encrypted?||true |
|note||A brief description of the service and use case.||Unencrypted telnet services are insecure.|
Add to or modify this list using the editor. Click Save when you are done.
- There is no file checking for this editor. A typo might break the lookup file and generate a lookup error.
- Use a search to review the user and time the lookup file was edited. Example:
index=_internal edit uri_path="/en-US/app/SplunkPCIComplianceSuite/pci_lookups_edit"
- A lookup does not accept regular expressions.
Example interesting ports configuration
You can update the Interesting Ports list to allow an open connection on the loopback port for the mail server, but alert you if email is received on any trusted server. Create a lookup table entry as follows:
mail,127.0.0.1,*,25,tcp,false,false,false, Any host can communicate with itself on TCP port 25 in all domains. Please don't bug me if it does.
mail,*,trust,25,tcp,false,true,false, Alert me if any host in the Trust domain is open on TCP port 25.
Configure Interesting Processes list
Customize the menu bar in Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0