SpectX was the subject of an ISC post on SpectX4DFIR back in late April. Raido from SpectX provides us with a query to count hits from IPs during different time intervals. This can be one way of detecting possible bots and automated queries. Running the query below will tell you:
I ran the query below, slightly modified from Raido’s original, against the April 2020 log file for holisticinfosec.io. You can run this on any log file that contains timestamps and IP-addresses, just change the path, pattern and field names accordingly.
The results as seen in Figure 1 provided immediate insights. Figure 1: SpectX IP hitcount query result As promised, these IPs as noted in the results per Figure 1 are all making constant calls to my site, all day, every day. Each are calling my index.xml file, some appear to be RSS readers or scrapers, which is fairly routine. Seems like a lot of needless connect and compute cycles for a low traffic, static site such as mine. Figure 2: IPQS declares badness This is useful little query to quickly detect possible bots and automated queries. Hopefully you’ve already downloaded SpectX and given a try after a last post. Load it back up and feed a log. If you want a copy of the log as utilized for this post, let me know via socials or email. Cheers…until next time. |
Russ McRee 204 Posts ISC Handler Jun 30th 2020 |
Thread locked Subscribe |
Jun 30th 2020 1 year ago |
Thanks for the post, Russ!
One more tip - you can enrich the IPs with MaxMind's GeoLite to get more instant info on the (weird) IPs. 1) Create a Maxmind account and configure accessing the data in SpectX: https://docs.spectx.com/v2/spectx_core/getting_started/installing_desktop/maxmind_config.html 2) Run the IP-query in this post 3) Right-click on one of the IPs in the resultset > Add Code Snippet > lookup Maxmind. The following select command is added to the query: | select(ip, cc(ip), asname(ip), geo(ip), *) 4) Click Run and continue querying the new fields :) |
Anonymous |
Quote |
Jun 30th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!