After installing Splunk on my brand new Intel NU and ingesting firewall logs, I wrote a couple of simple SPL to make sense of what’s hitting my router.
One of those SPL breaks down the number of hits by Countries over a 24 hours period.
The stats varies day to day and is usually boring but one day I noticed that about 3/4 of traffic originated seemingly from Russia which naturally pique my interest.
I say “seemingly from Russia” because I used the iplocation command which correlates IP address to Country using a static database. I also cross-checked the IP addresses against Talos and AbuseIPDB, which unfortunately gave me conflicting location information.
index=[name of index] RULEACTION=DENY | rename Country AS COUNTRY | iplocation SRC | stats count by COUNTRY
Unsure as to when the surge in “Russian” IPs hitting my router started, I ran the timechart command to count the number of “Russian” IPs in one hour intervals over a period of one week.
index=[name of index] RULEACTION=DENY earliest=-1w | rename SRC AS SRC_IP | timechart count(SRC_IP) AS "count" span=1h
According to the results, the increase in traffic from “Russia” started on the 18th of December 2020 and has stayed steady since.
However if I were to look at this over a period of 2 weeks, we can see that the traffic started to gradually increase on the 14th of December and sharply increased on the 18th of December!
index=[name of index] RULEACTION=DENY earliest=-2w | rename SRC AS SRC_IP | timechart count(SRC_IP) AS "count" span=1d
I’ve got no idea why my IP address is being port scanned so intensely for the past few days.
As the saying goes; it’s not what’s being detected by your security controls but it’s the ones that goes undetected that we should be worried about.