SPL
Malware Detection
Description
I'm reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it's a decent read.
10 14
search.goes.here | convert mktime(_time) as epoch | sort 0 uri_host,client_ip,epoch | delta epoch as epoch_delta | search epoch_delta>0 epoch_delta<30 | chart count over epoch_delta by uri_host
Comments
2 total
What time range would you typically use with this search?
When I posted this I got it here:\r\n\r\nhttps://pleasefeedthegeek.wordpress.com/2012/12/20/detecting-malware-beacons-using-splunk/\r\n\r\nNever tested it, but thought it was a pretty interesting idea!
Leave a comment
You must log in to post a comment.