Analysis

We detected different attacks against our web servers:

  1. Automated scan for a specific online shop product
  2. Automated scan for a Roundcube installation
  3. Brute-force attack against the Tomcat Manager

Using Splunk it is very easy to see when logs are indexed by Splunk and how to differentiate between false positives (for example a GoogleBot or a browser requesting favicon).

Splunk gave us the following results, including the false positives:

 

 

 

Changing the search query is straightforward. Because Splunk indexed all logs, it offers a type-ahead feature of all keywords detected in the logs.

 

 

 

 

 

In our logs we used to following search query: "sourcetype="Modsec_audit" AND NOT /app AND NOT /favicon AND NOT /scripts AND NOT /robots.txt" over a period of the last 7 days.

This gave the following Splunk graph. The green bars indicate attacks for the specific day.