AWS ELB HTTP requests from security scanner

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous @http.useragent.

Strategy

Inspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from darkqusar’s gist. The detection does this using 2 cases:

  • Case 1: The scanner is accessing several unique @http.url_details.paths and receiving @http.status_codes in the range of 200 TO 299
  • Case 2: The scanner is accessing several unique @http.url_details.paths and receiving @http.status_codes in the range of 400 TO 499

Triage and response

  1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.
  2. Check if these authentication requests are successful.
    • If they are successful, change the status of the signal to UNDER REVIEW and begin your company’s incident response plan.
    • If they are not successful, ARCHIVE the signal.

NOTE: Your organization should tune out user agents that are valid and triggering this signal. To do this, see our Fine-tune security signals to reduce noise blog.

Changelog

4 April 2022 - Updated rule cases and signal message.

PREVIEWING: piotr_wolski/update-dsm-docs