[Graylog] 幾個查詢條件

6 月 29

joechenELK, 未分類 No Comments

HOST: log.udn.twbbs.org

Query:
查詢間諜及惡意軟體
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND (Subtype:(virus OR spyware OR malware OR vulnerability) OR ThreatID:(Detection OR Vulnerability OR Attempt OR Traffic OR Executable))

查詢C&C, 再選來源sourceIP 或被控client IP
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND “Command and Control Traffic”

一段時間內, 重覆次數偏高
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND RepeatCount:(120~)
ex: 非郵件服務, 重覆次數大於1
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND NOT Application:(smtp OR pop3 OR imap OR incomplete) AND RepeatCount:(2~)

查詢成人網站
HOSTNAME:(NGFW\-5050\-1 OR NGFW\-5050\-2) AND NOT Action:deny AND Category:adult

Leave a Reply

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Copy link
CopyCopied