Firewall Archives -

F5 SL ASM iRule Parser for Hosted Deployments

sourcetype=f5:silverline:asm irule=* vs_ip=*
| rex "(?<log>.*)"
| eval log_stripped = replace(log, "\\\\","")
| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="
| spath input=data_section

sourcetype=f5:silverline:asm irule=* vs_ip=*

| rex "(?<log>.*)"

| eval log_stripped = replace(log, "\\\\","")

| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="

| spath input=data_section

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"

| iplocation src

| search Country=*

| table Country, src, action, bytes_out, packets_out

| dedup src

| sort Country

Continue Reading →

Track Remediation Progress by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic

eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

1	eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d \| dedup HOST_ID, QID \| stats count by QID

Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^((?!\/).)Linux((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="(F5 Networks Big-IP)\|(^Cisco((?!\/).)*$)\|(Firewall)" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows (2000$\|XP\|7\|8)((?!\/).)*$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows .Server((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

I take no credit for this. These queries were discovered […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^((?!\/).)Linux((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="(F5 Networks Big-IP)\|(^Cisco((?!\/).)*$)\|(Firewall)" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows (2000$\|XP\|7\|8)((?!\/).)*$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 \| regex OS="^Windows .Server((?!\/).)$" \|dedup QID IP\| stats count by IP \| sort -count \| head 25

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="^((?!\/).)Linux((?!\/).)$" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="(F5 Networks Big-IP)\|(^Cisco((?!\/).)*$)\|(Firewall)" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="^Windows (2000$\|XP\|7\|8)((?!\/).)*$" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" \| regex OS="^Windows .Server((?!\/).)$" \| dedup HOST_ID QID \| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE \| stats count by QID, TITLE, SEVERITY \| sort 25 –count

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Tag: Firewall

F5 SL ASM iRule Parser for Hosted Deployments

Search All Traffic by src / action – Creates Table

Track Remediation Progress by OS – Qualys

Top 25 Most Vulnerable Systems by OS – Qualys

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys