Prohibited Network Traffic Allowed-禁止的网络流量

2020-01-09 走过路过 2408 0

搜索在企业安全性查找表“ interesting_ports_lookup”中查找由端口和传输层协议定义的网络流量,该表被标记为禁止,并且在Network_Traffic数据模型中具有关联的“允许”操作。 这可能表明网络设备配置错误。

Splunk查询:
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport | search is_prohibited=true | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Traffic")`

earliest=-70m@m   latest=-10m@m

interesting_ports_lookup查找表内容:

应用

dest

dest_pci_domain

dest_port

is_prohibited

is_required

is_secure

note

协议

echo

*

*

7

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

tcp

echo

*

*

7

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

udp

discard

*

*

9

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

tcp

discard

*

*

9

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

udp

daytime

*

*

13

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

tcp

daytime

*

*

13

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

udp

chargen

*

*

19

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

tcp

chargen

*

*

19

true

false

false

TCP/UDP small services should be disabled since they are inherently insecure

udp

ftp-data

*

*

20

true

false

false

Unencrypted FTP services are insecure.

tcp

ftp-data

*

*

20

true

false

false

Unencrypted FTP services are insecure.

udp

ftp

*

*

21

true

false

false

Unencrypted FTP services are insecure.

tcp

ftp

*

*

21

true

false

false

Unencrypted FTP services are insecure.

udp

ssh

*

*

22

false

false

true

Secure shell is permitted AND secure.

tcp

ssh

*

*

22

false

false

true

Secure shell is permitted AND secure.

udp

telnet

*

*

23

true

false

false

Unencrypted telnet services are insecure.

tcp

telnet

*

*

23

true

false

false

Unencrypted telnet services are insecure.

udp

http

*

*

80

false

false

false

HTTP is considered insecure.

tcp

pop3

*

*

110

true

false

false

Post office protocol is considered insecure.

tcp

pop3

*

*

110

true

false

false

Post office protocol is considered insecure.

udp

netbios-ns

*

*

137

true

false

false

NetBIOS name service is considered insecure.

tcp

netbios-ns

*

*

137

true

false

false

NetBIOS name service is considered insecure.

udp

netbios-dgm

*

*

138

true

false

false

NetBIOS datagram service is considered insecure.

tcp

netbios-dgm

*

*

138

true

false

false

NetBIOS datagram service is considered insecure.

udp

netbios-ssn

*

*

139

true

false

false

NetBIOS session service is considered insecure.

tcp

netbios-ssn

*

*

139

true

false

false

NetBIOS session service is considered insecure.

udp

https

*

*

443

false

false

true

HTTPS service is permitted AND secure.

tcp

isakmp

*

*

500

false

false

true

ISAKMP service is permitted AND secure.

tcp

isakmp

*

*

500

false

false

true

ISAKMP service is permitted AND secure.

udp

login

*

*

513

true

false

false

Remote login (rlogin) is considered insecure.

tcp

shell

*

*

514

true

false

false

Remote shell (rsh) is considered insecure.

tcp

syslog

*

*

514

false

false

false

Syslog service is permitted but NOT secure.

udp

oracle

*

*

1521

false

false

true

Oracle database default listener

tcp

ms-sql-s

*

*

1433

false

false

true

Microsoft SQL server default listener

tcp

ms-sql-s

*

*

1433

false

false

true

Microsoft SQL server default listener

udp

l2tp

*

*

1701

false

false

true

Layer 2 tunneling protocol

tcp

l2tp

*

*

1701

false

false

true

Layer 2 tunneling protocol

udp

pptp

*

*

1723

false

false

true

Point to point tunneling protocol

tcp

ms-wbt-server

*

*

3389

false

false

true

Microsoft Windows-based terminal server

tcp

ms-wbt-server

*

*

3389

false

false

true

Microsoft Windows-based terminal server

udp

ipsec-nat-t

*

*

4500

false

false

true

IPsec NAT-Traversal

tcp

ipsec-nat-t

*

*

4500

false

false

true

IPsec NAT-Traversal

udp


全部评论 最新评论 最早评论
还没有用户评论

联系我们

微信公众号
打赏作者