Web server initiating outbound traffic
Your corporate website has been defaced. You believe that the attacker hacked into your web server and downloaded the file used in the defacement from an external IP address.
Required data
Procedure
This sample search uses Suricata and Fortinet FortiGate software. You can replace these sources with any other web server data and firewall data used in your organization.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
src=<IP address of web server> sourcetype=suricata
- In the field sections on the left, find and click dest_ip.
- Examine the results and identify any external IP addresses.
- Click an external IP address to add it to the search.
- In the field sections on the left, find and click http.url.
- Make a note of any suspicious files you find so that you can corroborate your findings.
- Clear your search and enter the following search command into the search bar:
src=<IP address of web server> sourcetype=stream:http
- In the field sections on the left, find and click uri.
- Make a note of the files you find that are the same as those from the in the http.url field of the Suricata data.
- Clear your search and enter the following search command into the search bar:
sourcetype=fgt_utm <IP address of web server> NOT dest=<IP address of web server>
- In the field sections on the left, find and click category.
Unified Threat Management (UTM) devices (or next-generation firewalls) often classify various web sites, much like standalone web filtering gateways do. These classifications can help you identify different types of data.
- Click the Malicious Websites value to add it to the search.
- In the field sections on the left, find and click file_path.
- Examine the results for files that are identical to what you found in the Suricata and Stream data.
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
src=<IP address of the web server> |
Search data coming from this IP address. Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. Example: Example: |
sourcetype=suricata |
Search only Suricata data. |
sourcetype=stream:http |
Search only Stream http data. |
sourcetype=fgt_utm |
Search only Fortinet UTM data. |
<IP address of web server> |
Search for the IP address of the web server. |
NOT dest=<IP address of web server> |
Eliminate results that have the IP address of the web server as the destination. |
Next steps
If you can corroborate a suspicious file across multiple data sources, you have likely found the file that has something to do with your website defacement. You can use that file information to investigate further.
Finally, you might be interested in other processes associated with the Reconstructing a website defacement use case.