Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search proxy logs for beaconing hosts

mikefoti
Communicator
‎09-09-2014 03:08 PM

I'm trying to search proxy logs for beaconing hosts. Let's define beaconing as:
- visiting the same url
- using the same HTTP Method
- at a regular interval (say 60 seconds +/- 5s)
- at least 9 times 

| transaction client_ip URL Method minpause=55s maxpause=65s | where eventcount > 10

My first problem is the lack of a MINPUASE command.
Any suggestions?

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎09-10-2014 09:31 AM

Try this

yoursearchhere
| eventstats count as total_events by client_ip URL Method
| where total_events > 8
| sort client_ip URL Method _time
| streamstats current=f window=1 global=f last(_time) as prev_time by client_ip URL Method
| eval time_diff = _time - prev_time
| transaction client_ip URL Method maxpause=65s
| where time_diff >= 55 and eventcount > 8

This may not be exactly what you want, but perhaps it will give you some new ideas...

I used eventstats to eliminate as many client_ip's as I could, before creating the transactions. This should make the transaction command run faster. I also calculated the time difference between events so that I could use it later to implement the "minpause" idea.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...