Christopher Ahearn

What's on your wire: Splunk forwarder traffic

Blog Post created by Christopher Ahearn Employee on Jan 21, 2019

Often times, RSA NetWitness Packet decoders are configured to monitor not only ingress and egress traffic, but also receive internal LAN traffic as well.  On a recent engagement, we identified a significant amount of traffic going to TCP port 9997.  It did not take long to realize this traffic was from internal servers configured to forward their logs to Splunk.


The parser will add to the 'service' meta key and write the value '9997'.  After running the parser for several hours, we also found other ports that were used by the Splunk forwarders.  


While there wasn't anything malicious or suspicious with the traffic, it was a significant amount of traffic that was taking up disk space.  By identifying the traffic, we can make it a filtering candidate.  Ideally, the traffic would be filtered further upstream at a TAP, but sometimes that isn't possible.  


If you are running this parser, you could also update the index-concentrator-custom.xml and add an alias to the service types.  






If you have traffic on your network that you want better ways to identify, let your RSA account team know.  


Good luck, and happy hunting.