AWS ELB HTTP requests from security scanner

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous @http.useragent.

Strategy

Inspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from darkqusar’s gist. The detection does this using 2 cases:

  • Case 1: The scanner is accessing several unique @http.url_details.paths and receiving @http.status_codes in the range of 200 TO 299
  • Case 2: The scanner is accessing several unique @http.url_details.paths and receiving @http.status_codes in the range of 400 TO 499

Triage and response

  1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.
  2. Check if these authentication requests are successful.
    • If they are successful, change the status of the signal to UNDER REVIEW and begin your company’s incident response plan.
    • If they are not successful, ARCHIVE the signal.

NOTE: Your organization should tune out user agents that are valid and triggering this signal. To do this, see our Fine-tune security signals to reduce noise blog.

Changelog

4 April 2022 - Updated rule cases and signal message.