Skip to main content
 
Splunk Lantern

Product or software accessing web server

 

​​​​​​​​A certain IP address made a lot of requests to your web server. You suspect that it is a web vulnerability scanner.

Required data  

Web server data

Procedure 

This sample search uses Splunk Stream. You can replace this source with any other web server data used in your organization.

  1. Run the following search. You can optimize it by specifying an index and adjusting the time range.
src=<IP address under investigation> sourcetype=stream:http 
  1. In the field sections on the left, find and click src_header.
  2. Click the value with the highest count to add it to the search.
  3. In the field sections on the left, find and click src_header.
  4. Examine the headers to find the name of the web vulnerability scanner used.

Research any information in the logs that is unfamiliar to you. The log may not directly call out a web vulnerability scanner, but you don’t want to overlook useful information.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

src=<IP address under investigation>

Search data coming from this IP address.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the src field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(src="192.0.2.0" OR src_ip="192.0.2.0")

Example:
(src="192.0.2.0" OR src="example.com")

sourcetype=stream:http 

Search only Stream http data.

Next steps 

The product used to scan your web server can be useful in subsequent investigation and prevention efforts. Make a note of it.  

Finally, you might be interested in other processes associated with the Reconstructing a website defacement use case.