IP address sending repeated requests to a web server
An advanced persistent threat (APT) group has taken over your website and plastered their logo all over your homepage. You want to find the IP address of the machine that scanned your website for the vulnerability that allowed them to attack.
Required data
Procedure
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
"<URL of affected website>"
- In the field sections on the left, find and click sourcetype.
- Click the value with the highest count to add it to the search.
- Make a note of the other source types.
- Add the following to the search:
|stats count(src_ip) AS Requests BY src_ip |sort - Requests
- Make a note of the src_ip with the highest number of requests.
- Change the sourcetype to one of the others you previously noted and run the search again. Repeat this step with the remaining source types to see if they all indicate the same src_ip with the highest number of requests.
Different data sets provide different perspectives to the same question, so validating findings by using multiple data sets is important.
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
"<URL of affected website>" |
Search for any log your website name appears in. Use wildcards so you don't miss a result. For example, *splunk.com* |
|stats count(src_ip) AS Requests BY src_ip |
Count the number of times each source IP address appears and rename the count column "Results". |
|sort - Requests |
Sort the results with the most common source IP address first |
Next steps
The IP address that originated the most requests is likely to be the one that conducted the scan. Looking at its source header information can help you determine if the IP address is associated with a web vulnerability scanner. Depending on the source type you used in your search, you might also be able to use IDS signatures to further validate your findings. To do so:
- In the results table, click the source IP address with the most requests.
- Scroll down the left column of the results page and select the <X> more fields option.
- If a signature field exists, expand it and look for signatures of known web application vulnerabilities.
Finally, you might be interested in other processes associated with the Reconstructing a website defacement use case.