Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Analyzing a log for security breach

magnia
Engager
‎07-01-2018 04:51 PM

I am analyzing a log and can see over 600 attempts from one ip address where the its resulting in a 404 not found error in a 2 hour period. All other failed http codes come from different ip addresses but are very low count in comparison which led me to believe this offending IP Address is spamming our server. is there any other checks I could do.

(This is just for educational purposes and not a real log.)

0 Karma
Reply

FrankVl
Ultra Champion
‎07-02-2018 05:44 AM

If your logs provide that info, you could look at what URL is being requested. Is it the same URL over and over, or is it trying various URLs (perhaps with weird characters, or using ../.. to try and gain access to directories outside the webserver files)?

Also investigate the IP address. Is it something internal (and if so: what environment does it belong to, who is the owner). If it is external, you could check against threat intelligence sources to see if it is a known malicious host.

600 over 2 hours is not an incredibly alarming rate (not enough to bring a server down), but it could indicate some kind of vulnerability scanning / probing activity. But it could just as well be some internal script that is trying to connect to a web page that doesn't exist anymore.

Reply

magnia
Engager
‎07-02-2018 07:07 AM

Its doing as you expected I believe and trying lots of different characters and strings. I found another example where its 1500 attempts in 5 mins so that seems malicious.

I have tried on threatminer site for the ip but doesnt seem to be a case for it. As part of my learning activity it advises the webserver was hit by spam and then a ddos attack so i kind of presumed it would been been a spam hit to try and get users to install some malware which was then performing the ddos attack. Im not sure if I can find out if the ip address is internal i had presumed was external.

Appreciate your reply Frank.

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...