-
7 years, 3 months agoRonald (Access42) wrote a new post
The following shows IoC for directory traversal, RFI and LFI within IIS logging:
index=* sourcetype=”ms:iis:default”NOT (“cookie.js” OR “script.js”) AND (referer=”-” OR referer=””) AND (uri_query=”*passwd*” OR […] -
7 years, 3 months ago
Ronald (Access42) wrote a new post
Get an overview of all 404 errors, an increase might be an IoC
index=web_p sourcetype=”ms:iis:default” status=404 | timechart count -
7 years, 3 months ago
Ronald (Access42) wrote a new post
Get an overview of 401 and 403 errors, an increase might be an IoC.
index=* sourcetype=”ms:iis:default” sc_status=401 OR sc_status=403 |table _time, sc_status, sc_substatus, uri_path | timechart count by sc_status -
7 years, 3 months ago
Ronald (Access42) wrote a new post
The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”.
index=* […] -
7 years, 11 months ago
Ronald (Access42) wrote a new post
To extract the DNS logging from netscaler:syslog you need the following regex:
^s+(?P[^:]+):(?P[^ ]+)(?:[^:n]*:){3}(?P[^#]+)(?:[^/n]*/){8}d+#(?P(?#)[_a-zA-Z0-9.-]+)(./)
You can now put it in the query […]
-
8 years, 1 month ago
Ronald (Access42) wrote a new post
Overview of all medium to critical risks for Win20xxGet an overview of all medium to critical risks for Windows 2008 / 2012: Windows 2008: sourcetype=”tenable:sc:vuln” cpe:/o:microsoft:windows_server_2008 […]
-
8 years, 3 months ago
Ronald (Access42) wrote a new post
This search will give an overview of all SMB shares with unprivilged access.
sourcetype=”tenable:sc:vuln” pluginID=42411 | table ip dnsName pluginText | rename “pluginText” as “Shares enabled” | rename “dnsName” […] -
8 years, 3 months ago
Ronald (Access42) wrote a new post
The query below will give an overview of all certificates about to expire (within 60 days)
sourcetype=”tenable:sc:vuln” synopsis=”The SSL certificate associated with the remote service will expire soon.” | […] -
8 years, 3 months ago
Ronald (Access42) wrote a new post
The query below will give an overview of all hosts running expired certificates:
sourcetype=”tenable:sc:vuln” synopsis=”The remote server’s SSL certificate has already expired.” | dedup ip | chart count by ip -
8 years, 3 months ago
Ronald (Access42) wrote a new post
Get an overview of the 10 most vulnerable systems in your network
sourcetype=”tenable:sc:vuln” baseScore > 3 | dedup cve ip | stats count by ip, riskFactor | sort 10-count | lookup dnslookup clientip as ip | […] -
8 years, 3 months ago
Ronald (Access42) changed their profile picture
-
8 years, 3 months ago
Ronald (Access42) changed their profile picture
-
8 years, 3 months ago
Ronald (Access42)'s profile was updated
-
8 years, 3 months ago
Ronald (Access42) wrote a new post
To see the top of exploitable vulnarabilities from the Tenable Security Center:
sourcetype=”tenable:sc:vuln” exploitAvailable=”yes” | chart count over pluginName by riskFactor
-
8 years, 3 months ago
Ronald (Access42) wrote a new post
Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query:
sourcetype=”tenable:sc:vuln” ip=* |stats mean(baseScore) as base | eval base = round(base,2) -
8 years, 3 months ago
Ronald (Access42) wrote a new post
Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.
sourcetype=”tenable:sc:vuln” severity.name=* | chart count over […] -
8 years, 3 months ago
rkingma became a registered member
-
8 years, 3 months ago
Ronald (Access42) became a registered member
Hey @rkingma
it’s not detecting SQLi.