Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Analyzing a log for security breach
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Analyzing a log for security breach
I am analyzing a log and can see over 600 attempts from one ip address where the its resulting in a 404 not found error in a 2 hour period. All other failed http codes come from different ip addresses but are very low count in comparison which led me to believe this offending IP Address is spamming our server. is there any other checks I could do.
(This is just for educational purposes and not a real log.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your logs provide that info, you could look at what URL is being requested. Is it the same URL over and over, or is it trying various URLs (perhaps with weird characters, or using ../.. to try and gain access to directories outside the webserver files)?
Also investigate the IP address. Is it something internal (and if so: what environment does it belong to, who is the owner). If it is external, you could check against threat intelligence sources to see if it is a known malicious host.
600 over 2 hours is not an incredibly alarming rate (not enough to bring a server down), but it could indicate some kind of vulnerability scanning / probing activity. But it could just as well be some internal script that is trying to connect to a web page that doesn't exist anymore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its doing as you expected I believe and trying lots of different characters and strings. I found another example where its 1500 attempts in 5 mins so that seems malicious.
I have tried on threatminer site for the ip but doesnt seem to be a case for it. As part of my learning activity it advises the webserver was hit by spam and then a ddos attack so i kind of presumed it would been been a spam hit to try and get users to install some malware which was then performing the ddos attack. Im not sure if I can find out if the ip address is internal i had presumed was external.
Appreciate your reply Frank.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
