A device on your network was hacked into with a brute force password attempt. You want to find out what IP address the attack originated from.
This sample search uses Splunk Stream. You can replace this source with any other web server data used in your organization.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=stream:http dest="<IP address receiving the request>" http_method=POST |stats count BY src
- Expand any event to see all fields.
- In the form_data field, look at the format the username and password are provided in. Use that format to write a wildcard search for this field and add it to the search.
Example: If the log shows form_data username=admin&passwd=123abc Then a good search term is: form_data=*username*passwd*
Stream requires special configuration. If you do not see the fields referenced in this procedure, see the Splunk Stream Installation and Configuration Manual on the Splunk documentation site.
- Add the following to the search and rerun it:
|stats count BY src
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search only Stream http data.
dest=<IP address receiving the request>
Search data going to this IP address.
Search for a request pushed to the server. In this case, the request is a password that was pushed from the source.
Return results that match your wildcard search.
|stats count BY src
Count the number of times each source IP address appears.
The IP address with the most hits is most likely the one the brute force password attack originated from. You can use open source intelligence (OSINT) to find a domain name and other IP addresses associated with the one you found in the investigation.
Finally, you might be interested in other processes associated with the Reconstructing a website defacement use case.