Hello guys,
I need to create a chart thats show traffic for a determined ip address in a time windows ( for example a week ) and that can give me have moving average. With that i can see the spikes of that average and i can investigate a possible DoS or DDos attack if the alerts rules doesnt work or even delete the existing rules.
Its possible to do that like splunk has?
Renato,
If I've interpreted your question properly then, yes.
I run a chart on my Dashboard that is monitored by all network defenders throughout the day to identify evidence of a DoS or DDoS. Unfortunately it only covers up to the last 36 Hours due to Chart limitations but since it is continually monitored this is more than sufficient for DoS identification.
Essentially what I did was first created a Feed tagging all publicly accessible web servers (as they are most likely to be DoS'd). Lets say that all of those servers tagged in the feed populate to the "Web Servers" (webserver) MetaKey. I then created rules to show what services (service) are most frequently observed in conjunction with the webserver MetaKey in the Reporting Module. Based upon my example, the logic of that rule would look something like:
SELECT = service
WHERE = webserver exists
SORT BY = descending
LIMIT = 10
Then with that Rule tested and validated. I created a Chart using the Rule which "Charts Value Over Time". Then I loaded that Chart into a Dashlet. This produces a nice wavy graph showing the frequency at which the Top 10 most services are utilized. In the event of a DoS or DDoS. The sudden increase of traffic would be so prevalent that a clear spike would be indicated on the graph. We've been able to test this several times with great success. It also is useful in identify instances where people are running vulnerability scanners against our web servers. Due to the speed at which those products send requests, obvious spikes are indicated on the graph.
To investigate the spikes, I make note of the time at which the spike peaked and the service which the spike was associated. I then pivot into the Investigate -> Navigate view and specify the time frame to be +/- 5 minutes of the peak and apply the advanced query:
webserver exists && service = (Whatever the Service identified Common Port Number is)
When that data loads, I open up the visualization to ensure I see a similar spike in the Investigative -> Navigate visualization model, verifying my time frame is accurate. I then analyze the most active Source IPs, usually one of the IPs has a much higher session count than the others and is the culprit of the traffic spike.
One additional element I did personally was to essentially whitelist known good IPs from the initial Reporting Engine Rule. If I knew I had certain scanners or high traffic systems that were legitimate and may cause a false positive, I simply added ip.src != X.X.X.X. If you have several such systems, I'd recommend creating another Feed so that you can simply whitelist them by a meta condition such as, webserver != 'known scanners' or something.
I hope this helps!
V/R,
Bob