So playing around with A3Sec's pfsense Splunk app, I moved the threshold of the scanned panel around to see how many more IPs/geolocations popped up on the map. I then even had a friend run a standard/default nmap scan on my IP, and cranked the search string's sensitivity down to where it caught it, this is the new string.
index=gw_pfsense sourcetype=pfsense_filterlog action=blocked | dedup src dest_port | transaction src maxspan=5m maxpause=12s keeporphans=false | where eventcount > 3 | iplocation src | geostats latfield=lat longfield=lon count(src)
No comments:
Post a Comment