legal contact
 

weblogs excl 80 but incl 443

Unusual proxy port usage but including 443 (very chatty)

Unusual Ports

sourcetype=whatever request=* (reputation=unverified OR reputation=malicious) category!="Web Ads" category!="Internet Services" | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport | search httpport!=80 | eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | top name, error, httpport

Count of hosts using unusual ports over time

sourcetype=whatever request=* (reputation=unverified OR reputation=malicious) category!="Web Ads" category!="Internet Services" | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport | search httpport!=80 | eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | timechart dc(httphost) by httpport

Unusual Proxy events (uncategorised or reputation is unverified)

sourcetype=whatever request=* (reputation=unverified OR reputation=malicious OR categoryname=Uncategorized )   category!="Web Ads" category!="Internet Services" | rex field=url "https?\:\/\/(?<httphost>.+?)(\/|:(?<httpport>\d+))\/" | fillnull value=80 httpport | search httpport!=80 | rex field=_raw " action=\"(?<action>.+?)\" " | eval eventsrc=host_country."/".host_dns | fillnull value=unknown content-type,ua,statuscode | table _time, srcip, dvc_city,  method, dest, domain, reputation, categoryname, action, name, httpport, ua, url

sourcetype is the squid proxy log