AWS ELB HTTP requests from security scanner
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous @http.useragent
.
Strategy
Inspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from darkqusar’s gist. The detection does this using 2 cases:
- Case 1: The scanner is accessing several unique
@http.url_details.path
s and receiving @http.status_code
s in the range of 200 TO 299
- Case 2: The scanner is accessing several unique
@http.url_details.path
s and receiving @http.status_code
s in the range of 400 TO 499
Triage and response
- Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.
- Check if these authentication requests are successful.
- If they are successful, change the status of the signal to
UNDER REVIEW
and begin your company’s incident response plan. - If they are not successful,
ARCHIVE
the signal.
NOTE: Your organization should tune out user agents that are valid and triggering this signal. To do this, see our Fine-tune security signals to reduce noise blog.
Changelog
4 April 2022 - Updated rule cases and signal message.