forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
investigate_suspicious_strings_in_http_header.yml
36 lines (36 loc) · 1.63 KB
/
investigate_suspicious_strings_in_http_header.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
name: Investigate Suspicious Strings in HTTP Header
id: bc91a8cf-35e7-4bb2-8140-e756cc06fd89
version: 1
date: '2017-10-20'
author: Bhavin Patel, Splunk
type: Investigation
datamodel: []
description: This search helps an analyst investigate a notable event related to a
potential Apache Struts exploitation. To investigate, we will want to isolate and
analyze the "payload" or the commands that were passed to the vulnerable hosts by
creating a few regular expressions to carve out the commands focusing on common
keywords from the payload, such as cmd.exe, /bin/bash and whois. The search returns
these suspicious strings found in the HTTP logs of the system of interest.
search: '`stream_http` | search src_ip=$src_ip$ | search dest_ip=$dest_ip$ | eval
cs_content_type_length = len(cs_content_type) | search cs_content_type_length >
100 | rex field="cs_content_type" (?<suspicious_strings>cmd.exe) | eval suspicious_strings_found=if(match(cs_content_type,
"application"), "True", "False") | rename suspicious_strings_found AS "Suspicious
Content-Type Found" | fields "Suspicious Content-Type Found", dest_ip, src_ip, suspicious_strings,
cs_content_type, cs_content_type_length, url'
how_to_implement: This particular search leverages data extracted from Stream:HTTP.
You must configure the http stream using the Splunk Stream App on your Splunk Stream
deployment server to extract the cs_content_type field.
known_false_positives: ''
references: []
tags:
analytic_story:
- Apache Struts Vulnerability
product:
- Splunk Phantom
required_fields:
- _time
- src_ip
- dest_ip
- cs_content_type
- url
security_domain: network