Splunk® App for PCI Compliance

Installation and Configuration Manual

Configure Interesting Ports list

Interesting Ports contains a list of TCP and UDP ports that are required, prohibited, or insecure in your deployment. The PCI DSS requires that network ports on servers in the PCI domain be tracked. Solutions administrators should set a policy defining the allowed and disallowed ports.

  1. Review the "Interesting Ports" list.
  2. Edit the list, changing the fields and adding new entries based on the policy definition.
  3. Enable the correlation search that will trigger an alert.

Interesting Ports list lookup fields

  1. Select Configure > Content > Content Management.
  2. Choose the "Interesting Ports" list. In the Managed Lookup editor, the lookup file interesting_ports.csv appears. The first line in the file is the header that describes the fields in the file.
Field Description Example
app The application or service name. Win32Time
dest The destination host for the network service. Accepts a wildcard. Use only a wildcard to match all hosts. DARTH*,, my_host, etc.
dest_pci_domain The PCI domain. Accepts a wildcard. trust, untrust, etc.
dest_port The destination port number. Accepts a wildcard. 443, 3389, 5900, etc.
transport The transport protocol. Accepts a wildcard. tcp
is_required Is the service required to be running? Alert if not present. true
is_prohibited Is the service/traffic/port prohibited from running? Alert if present. true
is_secure Is the service traffic encrypted? true
note A brief description of the service and use case. Unencrypted telnet services are insecure.

Add to or modify this list using the editor. Click Save when you are done.

  • There is no file checking for this editor. A typo might break the lookup file and generate a lookup error.
  • Use a search to review the user and time the lookup file was edited. Example: index=_internal edit uri_path="/en-US/app/SplunkPCIComplianceSuite/pci_lookups_edit"
  • A lookup does not accept regular expressions.

Example interesting ports configuration

You can update the Interesting Ports list to allow an open connection on the loopback port for the mail server, but alert you if email is received on any trusted server. Create a lookup table entry as follows: mail,,*,25,tcp,false,false,false, Any host can communicate with itself on TCP port 25 in all domains. Please don't bug me if it does. mail,*,trust,25,tcp,false,true,false, Alert me if any host in the Trust domain is open on TCP port 25.

Last modified on 14 February, 2022
Configure Interesting Processes list   Customize the menu bar in

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters