Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what the Referer URL field actually is?

soundchaos
Path Finder
‎06-13-2014 08:20 AM

My main goal right now is to see if there are users accessing our site through phishing sites or emails. We do not send any e-mails with links whatsoever, so I shouldn't see anyone referred through an email.

My (possibly uneducated) question is to clarify what exactly the Referer URL is giving me. If I was to pull a list of:

"... | top cs_Referer_"

I get results like "http://www.google.com/" with no search criteria, and also "google.com/MyWebsiteName/". Is it actually just the URL the user was on before they changed to ours, or is it actually based on clicking a link?

Given this info, what type of referer would I look for to see if they did click on a link in an email?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bluger_splunk
Splunk Employee
Splunk Employee
‎06-13-2014 09:45 AM

Hello --

The HTTP referrer is appended to the HTTP header by the browser whenever a user navigates to a URL from a link in another site. Google is commonly seen as a referrer because many people navigate to websites that they search for using their search engine. For instance, if you search for splunk on google.com and then click on the link to Splunks homepage, a google referrer will get appended to the HTTP header by your browser.

As far as I know, Email clients do not append HTTP referrers for links contained within the email. However, you should be able to track the HTTP referrers for sites that are linking to your site and then attempt to match the results against known bad domains to identify any malicious domains that are linking to your site.

If you're currently using Splunks Enterprise Security application, it comes preloaded with a bunch of threat intelligence sources that you can use to match against the referrer headers. If you don't currently use Splunks Enterprise Security application, there are still a number of public domain threat sources you can gather intel from and pass to splunk for matching.

Hope this helps.

~Brian

View solution in original post

Reply
Solved! Jump to solution
Solution

bluger_splunk
Splunk Employee
Splunk Employee
‎06-13-2014 09:45 AM

Hello --

The HTTP referrer is appended to the HTTP header by the browser whenever a user navigates to a URL from a link in another site. Google is commonly seen as a referrer because many people navigate to websites that they search for using their search engine. For instance, if you search for splunk on google.com and then click on the link to Splunks homepage, a google referrer will get appended to the HTTP header by your browser.

As far as I know, Email clients do not append HTTP referrers for links contained within the email. However, you should be able to track the HTTP referrers for sites that are linking to your site and then attempt to match the results against known bad domains to identify any malicious domains that are linking to your site.

If you're currently using Splunks Enterprise Security application, it comes preloaded with a bunch of threat intelligence sources that you can use to match against the referrer headers. If you don't currently use Splunks Enterprise Security application, there are still a number of public domain threat sources you can gather intel from and pass to splunk for matching.

Hope this helps.

~Brian

Reply
Solved! Jump to solution

bluger_splunk
Splunk Employee
Splunk Employee
‎06-16-2014 09:52 AM

Those appear to be referrers from Google's GMail and Microsoft's Live Mail public email services. If those were set as referrers then it would likely indicate a user followed a link provided in an email. Of which they would have had to of opened using their web browsers, instead of an email client like Outlook. Additionally, if an employee were to access their corporate email using their web browser, via Outlook Web Access or the like, their browser would generate a referrer header for any links that were followed from within any opened emails.

Hope this helps!

~Brian

Reply
Solved! Jump to solution

soundchaos
Path Finder
‎06-16-2014 08:01 AM

Thanks for the answer, so based on this, would you happen to know what it means when referers are as such:
https://mail.google.com/mail/
https://bay179.mail.live.com/default.aspx

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...