Splunk Search to Weed Out Low Hanging Fruit and Out-Of-The-Box Pentest

splunk_suspicious_user_agent.md

Draft rule for a Splunk Search

Suspicious User Agents

You will not detect APTs with this but you will weed out low hanging fruit and not too savvy pentesters :)

user_agent IN ("burp" "burpcollaborator.net" "qualys" "nexpose" "OpenVAS" "Nikto" "Meterpreter" "IceWeasel" "DirB" "Comodo" "Tripwire" "Retina" "MBSA" "ImmuniWeb" "Netsparker" "Acunetix" "Intruder" "WinHttp.WinHttpRequest" "nmap" "CVE" "base64" "eval" "ftp" "/script" "javascript" "alert" ) NOT (user_agent="google") | eval detection_description=if(like(user_agent,"%WinHttpRequest%"),"CScript or VBScript Call",detection_description) | eval detection_description=if(like(user_agent,"%Iceweasel%"),"Potentially Kali",detection_description) | eval detection_description=if(like(user_agent,"%Meterpreter%"),"Meterpreter",detection_description) | eval detection_description=if(like(user_agent,"%Nikto%"),"Nikto Scanning",detection_description) | eval detection_description=if(like(user_agent,"%dirb%"),"Dirbuster Scanning",detection_description) | eval detection_description=if(like(user_agent,"%burp%"),"BurpSuite Scanning",detection_description) | eval detection_description=if(like(user_agent,"%qualys%"),"Qualys Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Comodo%"),"Comodo Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Tripwire%"),"Tripwire Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Retina%"),"Retina Scanning",detection_description) | eval detection_description=if(like(user_agent,"%MBSA%"),"Microsoft Baseline Security Analyzer",detection_description) | eval detection_description=if(like(user_agent,"%nmap%"),"NMAP Engine Scan",detection_description) | eval detection_description=if(like(user_agent,"%OpenVAS%"),"OpenVAS Scanning",detection_description) | eval detection_description=if(like(user_agent,"%CVE%"),"CVE Scan",detection_description) | eval detection_description=if(like(user_agent,"%/script%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%alert%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%javascript%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%base64%"),"Potential SQL Injection",detection_description) | eval detection_description=if(like(user_agent,"%eval%"),"Potential SQL Injection",detection_description) | eval detection_description=if(like(user_agent,"%ftp%"),"Attempt at data Exfiltration",detection_description) | table _time, user_agent, detection_description

updated thanks to @ateixei to improve readability by using "IN" in Splunk query