So, I've been logging traffic from my malware analysis sandbox looking for ways to develop a query to identify hosts who may have been hit with a blackhole exploit kit such as Fiesta, Angler, etc

In each instance there are 3 HTTP requests that show up when a host may have been a victim

The first request which is the malicious javascript re-direct to the landing site:

method=GET
http_refer = www.compromisedsite(.)com/badjava.js 
hostname = maliciouslandingsite(.)com
url = /evil.php

Here's the second request:

method=GET
hostname =maliciouslandingsite(.)com
http_refer = maliciouslandingsite(.)com/evil.php
http length = 0
url = /2kFrBaOX-ynG2d3ba5CR6YlsXlH9CgZTBfCxlWF3rVH_mpxCFDiRjIw0Xid5hT8d (this is a malicious flash exploit)

and the third:

method=GET
http length=0
user-agent=unknown
hostname=www.maliciouslandingsite.com
url= /1LCk6argMtVuqEp55ARj6wYxEX80xNngReFwSCMRclHI2oBxjyh7DD-AQCiggk_e (this the malware if the flash version was exploited)

It's always the same: JS redirect, url ending in .php, random 67 long character URL with a zero http length, and then another 67 character URL with an http length of zero and an unknown user agent

Here's my query so far. What I want is Splunk to return results from a host if the two searches produce results and the time stamps are within 5 seconds of each other. I don't care if this traffic occurs on the same host an hour apart.

http_method="GET" http.http_refer="*.php" http.length=0 [search http_method="GET" http.http_refer="*.js" http.status=200  http.url="*.php" | eval query=_time+5 | fields query host]

How far off am I?

I've built an index with known bad HTTP traffic, so I'll know if this works or not and right now it's not returning anything.

Thanks!