AWS ELB HTTP requests from security scanner

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous @http.useragent.

Strategy

Inspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from darkqusar’s gist. The detection does this using 2 cases:

  • Case 1: The scanner is accessing several unique @http.url_details.paths and receiving @http.status_codes in the range of 200 TO 299
  • Case 2: The scanner is accessing several unique @http.url_details.paths and receiving @http.status_codes in the range of 400 TO 499

Triage and response

  1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.
  2. Check if these authentication requests are successful.
    • If they are successful, change the status of the signal to UNDER REVIEW and begin your company’s incident response plan.
    • If they are not successful, ARCHIVE the signal.

NOTE: Your organization should tune out user agents that are valid and triggering this signal. To do this, see our Fine-tune security signals to reduce noise blog.

Changelog

4 April 2022 - Updated rule cases and signal message.

PREVIEWING: esther/docs-9478-fix-split-after-example