Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Splunk Search to Weed Out Low Hanging Fruit and Out-Of-The-Box Pentest

Draft rule for a Splunk Search

Suspicious User Agents

You will not detect APTs with this but you will weed out low hanging fruit and not too savvy pentesters :)

user_agent IN ("burp" "burpcollaborator.net" "qualys" "nexpose" "OpenVAS" "Nikto" "Meterpreter" "IceWeasel" "DirB" "Comodo" "Tripwire" "Retina" "MBSA" "ImmuniWeb" "Netsparker" "Acunetix" "Intruder" "WinHttp.WinHttpRequest" "nmap" "CVE" "base64" "eval" "ftp" "/script" "javascript" "alert" ) NOT (user_agent="google") | eval detection_description=if(like(user_agent,"%WinHttpRequest%"),"CScript or VBScript Call",detection_description) | eval detection_description=if(like(user_agent,"%Iceweasel%"),"Potentially Kali",detection_description) | eval detection_description=if(like(user_agent,"%Meterpreter%"),"Meterpreter",detection_description) | eval detection_description=if(like(user_agent,"%Nikto%"),"Nikto Scanning",detection_description) | eval detection_description=if(like(user_agent,"%dirb%"),"Dirbuster Scanning",detection_description) | eval detection_description=if(like(user_agent,"%burp%"),"BurpSuite Scanning",detection_description) | eval detection_description=if(like(user_agent,"%qualys%"),"Qualys Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Comodo%"),"Comodo Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Tripwire%"),"Tripwire Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Retina%"),"Retina Scanning",detection_description) | eval detection_description=if(like(user_agent,"%MBSA%"),"Microsoft Baseline Security Analyzer",detection_description) | eval detection_description=if(like(user_agent,"%nmap%"),"NMAP Engine Scan",detection_description) | eval detection_description=if(like(user_agent,"%OpenVAS%"),"OpenVAS Scanning",detection_description) | eval detection_description=if(like(user_agent,"%CVE%"),"CVE Scan",detection_description) | eval detection_description=if(like(user_agent,"%/script%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%alert%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%javascript%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%base64%"),"Potential SQL Injection",detection_description) | eval detection_description=if(like(user_agent,"%eval%"),"Potential SQL Injection",detection_description) | eval detection_description=if(like(user_agent,"%ftp%"),"Attempt at data Exfiltration",detection_description) | table _time, user_agent, detection_description

@darkquasar

This comment has been minimized.

Copy link
Owner Author

@darkquasar darkquasar commented Dec 10, 2019

updated thanks to @ateixei to improve readability by using "IN" in Splunk query

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.