Yesterday I was going about doing my things and suddenly noticed that there were three alerts on my IDS with the signature shown below.
I tried looking at the payload it was really huge like shown below.
I tried looking up the IP http://whois.domaintools.com/91.229.143.59 however I did not get any information useful to me.
I wanted to clean up the payload shown above to see just the URL, so I used the command as shown grep http tmp.txt | cut -d" " -f1 | grep \' | cut -d\' -f1
Well fair enough except the first one all the others does seem to be malicious, so I set out seeking my Web Proxy logs to see how did I land up on the IP.
One look at the proxy logs I almost felt like a amnesia patient getting back his\her memories :-D, because yesterday I was using urlquery.net for some experiment which I was performing.
Bottom line: Long story short it really pays to have logging enabled to determine if an incident is a false positive or not :-)
I tried looking at the payload it was really huge like shown below.
I tried looking up the IP http://whois.domaintools.com/91.229.143.59 however I did not get any information useful to me.
I wanted to clean up the payload shown above to see just the URL, so I used the command as shown grep http tmp.txt | cut -d" " -f1 | grep \' | cut -d\' -f1
Well fair enough except the first one all the others does seem to be malicious, so I set out seeking my Web Proxy logs to see how did I land up on the IP.
One look at the proxy logs I almost felt like a amnesia patient getting back his\her memories :-D, because yesterday I was using urlquery.net for some experiment which I was performing.
Bottom line: Long story short it really pays to have logging enabled to determine if an incident is a false positive or not :-)
No comments:
Post a Comment