topic Re: Unauthorized Vulnerability Scan - External in Splunk Search

Unauthorized Vulnerability Scan - External

rashid47010 — Tue, 29 Sep 2020 10:08:14 GMT

HI everyone,

I am trying to figure out about Unauthorised Vulnerability Scan - External.. we detected an external host using a script or vulnerability tool to probe our network in an attempt to locate an exploitable vulnerability. How can I configure an alert to notify me when someone doing the external vulnerability scan to our network by using different signatures against one or two minute margin.

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m | stats dc(signature),dc(dest_ip) as DEST by src_ip | where DEST>500

I am not sure to put where or search command
Really appreciate any help on this.

Cheers

Rashid

Re: Unauthorized Vulnerability Scan - External

xavierpaul — Tue, 05 Jul 2016 08:52:57 GMT

can you elaborate your question? what do you mean by "I am not sure to put where or search command"

Re: Unauthorized Vulnerability Scan - External

rashid47010 — Tue, 05 Jul 2016 09:52:59 GMT

I am talking about where or search command. my requirement is when the number of distinct signature is more than 10 from singly source IP.

Re: Unauthorized Vulnerability Scan - External

woodcock — Tue, 05 Jul 2016 14:24:46 GMT

Like this:

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10

The AND must be all-uppercase.

Re: Unauthorized Vulnerability Scan - External

rashid47010 — Tue, 29 Sep 2020 10:08:32 GMT

Thanks wood,

Thanks for your response. the final query is (according to me)(appreciate your comments on that if ay):
index=palxxx src_ip=1xx.x5.xx.xx dest_ip=1x3.x9.xx.xxx dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

now I have multiple IPs destining to dest_ip=1x3.x9.xx.xxx dest_port=80

src_ip |SignatureDC |destDC
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x

I want to create a real time alter.
which option I should select under "trigger condition"--> trigger alert when

Re: Unauthorized Vulnerability Scan - External

woodcock — Wed, 06 Jul 2016 12:50:43 GMT

I highly advise you not to use real-time. Instead I would run run it every 5 or 10 minutes for the last hour. The trigger is the threshold that you desire. It is probably best to put the threshold into the search (like we did with the | where destDC>500 AND signatureDC>1 and then just set the trigger to Number of events (in the final results set of your search) Is greater than 0.

Re: Unauthorized Vulnerability Scan - External

rashid47010 — Tue, 29 Sep 2020 10:09:05 GMT

Thanks wood,
Actually I am new to splunk. I need your further support to finalise my first alert(if results are as required then we can configure it as permanent correlation rule).
I have some question in my mind. appreciate for your kind response on them.

why you use the destDC>500 whereas I have only destination IP.

Final Query:
index=paloalto_pa dest_ip=193.19.90.20 dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

I configure the alert as below:
1- It will run every after 30 minutes for last one hour data.
earliest: -2h@h
latest: -1h@h
cron expression: 0/30 * * * ***
is that right....?
2- As Suggested. I configure the trigger conditions to:
tirgger alert when: number of results is greater than 0
and trigger for each result.
**I select the throttle and I select src_ip for
the suppress results containing field value
and suppress the trigger for 4 hours.

Please advise. It will give ma a great start to understand the alters and their configuration parameters.

Thanks.

Re: Unauthorized Vulnerability Scan - External

woodcock — Thu, 07 Jul 2016 12:54:41 GMT

I said "LIKE we did with ..." not "EXACTLY AS we did with ...". I man to put the threshold criteria, whatever it is, into the search, not the alert configuration. You have to decide on the alert threshold criteria.

1 - Yes.

2 - Yes, but only if you select to alertonce for every event. Then for every event (which corresponds to any particular src_ip) you will at most get 1 alert ever 4 hours.

Re: Unauthorized Vulnerability Scan - External

rashid47010 — Fri, 08 Jul 2016 10:54:29 GMT

Thanks wood
Highly appreciate your kind response