weblogs excl 80 but incl 443
Unusual proxy port usage but including 443 (very chatty)
Unusual Ports
sourcetype=whatever request=* (reputation=unverified OR reputation=malicious) category!="Web Ads" category!="Internet Services" | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport | search httpport!=80 | eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | top name, error, httpport
Count of hosts using unusual ports over time
sourcetype=whatever request=* (reputation=unverified OR reputation=malicious) category!="Web Ads" category!="Internet Services" | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport | search httpport!=80 | eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | timechart dc(httphost) by httpport
Unusual Proxy events (uncategorised or reputation is unverified)
sourcetype=whatever request=* (reputation=unverified OR reputation=malicious OR categoryname=Uncategorized ) category!="Web Ads" category!="Internet Services" | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport | search httpport!=80 | rex field=_raw " action=\"(?<action>.+?)\" " | eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | table _time, srcip, dvc_city, method, dest, domain, reputation, categoryname, action, name, httpport, ua, url
sourcetype is the squid proxy log