Skip to main content
Splunk Lantern

Web server initiating outbound traffic

A web server is typically the destination of traffic, not the source. Identifying when a web server initiated outbound traffic, especially in order to download files, can be useful in the following situations:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example 

Your corporate website has been defaced. You believe that the attacker hacked into your web server and downloaded the file used in the defacement from an external IP address.

To optimize the searches shown below, you should specify an index and a time range. In addition, this sample search uses and Splunk TA for Suricata and Fortinet FortiGate Add-on for Splunk. You can replace this source with any other web server data and firewall data used in your organization.

  1. Run the following search:
src=<IP address of web server> sourcetype=suricata 
  1. In the field sections on the left, find and click dest_ip.
  2. Examine the results and identify any external IP addresses.
  3. Click an external IP address to add it to the search. 
  4. In the field sections on the left, find and click http.url.
  5. Make a note of any suspicious files you find so that you can corroborate your findings.
  6. Clear your search and enter the following search command into the search bar:
src=<IP address of web server> sourcetype=stream:http
  1. In the field sections on the left, find and click uri.
  2. Make a note of the files you find that are the same as those from the in the http.url field of the Suricata data.
  3. Clear your search and enter the following search command into the search bar:
sourcetype=fgt_utm <IP address of web server>
NOT dest="<IP address of web server>"
  1. In the field sections on the left, find and click category.

Unified Threat Management (UTM) devices (or next-generation firewalls) often classify various web sites, much like standalone web filtering gateways do. These classifications can help you identify different types of data. 

  1. Click the Malicious Websites value to add it to the search. 
  2. In the field sections on the left, find and click file_path.
  3. Examine the results for files that are identical to what you found in the Suricata and Stream data.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

src=<IP address of the web server>

Search data coming from this IP address.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(src="192.0.2.0" OR src_ip="192.0.2.0")

Example:
(src="192.0.2.0" OR src="example.com")

sourcetype=suricata

Search only Suricata data.

sourcetype=stream:http 

Search only Stream http data.

sourcetype=fgt_utm
 

Search only Fortinet UTM data.

<IP address of web server>

Search for the IP address of the web server.

NOT dest="<IP “address of web server>"

Eliminate results that have the IP address of the web server as the destination.

Result

If you can corroborate a suspicious file across multiple data sources, you have likely found the file that has something to do with your website defacement. You can use that file information to investigate further.

  • Was this article helpful?