Skip to main content
Splunk Lantern

HTTP GET requests

You might want to see what web resources an IP address on your network is requesting when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You are concerned that users on your network might accidentally download content from the internet that poses a threat. You've already done some investigating into anomalous domains and have picked a user whose activity you are most concerned about. Now you want to focus just on HTTP GET requests initiated by that user.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Stream HTTP data. You can replace this source with any other web server data used in your organization.

  1. Run the following search: 
sourcetype=stream:http src_ip=<IP address sending the request> dest_ip!=<IP address sending the request> http_method=GET
|table src_ip dest_ip bytes_in bytes_out site uri

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=stream:http 

Search only Stream http data.

src_ip=<IP address sending the request> 

Search data coming from this IP address.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:

(src="192.0.2.0" OR src_ip="192.0.2.0")

Example:

(src="192.0.2.0" OR src="example.com")

dest_ip!=<IP address sending the request> 

Exclude results where the destination IP address is the same as the source IP address.

http_method=GET

Search for a request to retrieve data.

|table src_ip dest_ip bytes_in bytes_out site uri

Display the results in a table with the columns in the order shown.

Result

You can filter out URIs that you know to be safe and investigate unusual ones further. If you already have information about bytes in and bytes out on your network, you can calculate statistics to show whether any of the GET requests are outliers.  

  • Was this article helpful?