IIS: Indicators of directory traversal, RFI and LFI

The following shows IoC for directory traversal, RFI and LFI within IIS logging: index=* sourcetype=”ms:iis:default”NOT (“cookie.js” OR “script.js”) AND (referer=”-” OR referer=””) AND (uri_query=”*passwd*” OR uri_query=”*cmd*” OR uri_query=”*%00*” OR uri_query=”*.txt*”)|table _time, clientip, status, uri_query

Continue Reading →

IIS: 401 and 403 errors

Get an overview of 401 and 403 errors, an increase might be an IoC. <code>index=* sourcetype=”ms:iis:default” sc_status=401 OR sc_status=403 |table _time, sc_status, sc_substatus, uri_path | timechart count by sc_status</code>

Continue Reading →

IIS: Indicators of XSS and SQLi attacks

The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”. index=* sourcetype=”ms:iis:default” NOT (“cookie.js” OR “script.js” OR “cookie-min.js” OR “RESET-COOKIE” OR “form.user-info-from-cookie”) AND (“&#” OR “script>” OR “script%3E” OR “`” OR “cookie” OR alert\( […]

Continue Reading →

Extract DNS Queries from netscaler syslog

To extract the DNS logging from netscaler:syslog you need the following regex: ^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:\n]*:){3}(?P<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/) You can now put it in the query and get an overview of all DNS queries.  index=network_netscaler sourcetype=”citrix:netscaler:syslog” DNS | regex “^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:\n]*:){3}(?P<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)” | table time, date, source_ip, dns  

Continue Reading →

Overview of all medium to critical risks for Win20xx

Get an overview of all medium to critical risks for Windows 2008 / 2012: Windows 2008: sourcetype=”tenable:sc:vuln” cpe:/o:microsoft:windows_server_2008  | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description | join ip type=inner max=0 [ search index=main sourcetype=”tenable:sc:vuln” baseScore>3  | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description ] | sort by severity.name | chart count by […]

Continue Reading →

SSL certificates about to expire

The query below will give an overview of all certificates about to expire (within 60 days)  sourcetype=”tenable:sc:vuln” synopsis=”The SSL certificate associated with the remote service will expire soon.” | dedup ip | lookup dnslookup clientip as ip | chart count by ip,clienthost

Continue Reading →

Current Vulnerability Summary by Severity (tenable)

Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity. sourcetype=”tenable:sc:vuln” severity.name=* | chart count over severity.name by ip Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>  

Continue Reading →