This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to Detect Web Scrapers and Crawlers

RSAAdmin
Beginner
Beginner

‎2012-08-28 01:02 PM

We had a customer come to us asking to see if we could detect when an attacker tried to take a mirror of their webserver or detect when someone was running a web-based vulnerability scan against their webserver in the monitored environment.  We don't publish native content for this because the solution requires customization for the customer environment.  But it is pretty easy to do.

 

  • Step 1:  Create a decoder rule called 'site-crawl attempt' where "query count 50-u"
  • Step 2:  Customize for your environment.  The problem is that this needs to be defined in a specific direction.  Outbound connections to google maps, for instance, will fire this easily.  If you are worried about a single web server, the rule should be:
    • ip.dst=xxx.xxx.xxx.xxx && query count 50-u

Or if it is against a cluster of webservers you can use the alias host.  Ive even had one customer that used

    • org.dst=themselves && query count 50-u 

and it works just fine.

  • Step 3:  Once you get the Investigator rule in place and validated that it is working (you might have to fiddle with the value of 50- higher or lower depending on the type of server), create an informer report.  The report should look for the user agent strings of the inbound connections that are running heavy queries.

In the query field you look for 'client'

In the where field you look for alert='site-crawl attempt'

The results will show you all of the normal bots and crawlers like google and yandex and yahoo in addition to targeted vulnerability scanning attempts.  You can even chart this out in an Informer graph.  Ive done exactly this many times in the field.

Another good use of this Investigator and Informer rule is to look for inbound web queries that have errors published in the error index. In this case, the Informer report would look for 'error'

In the where field you look for alert='site-crawl attempt' && error begins '4'

This will show you all of the 404 errors, which typically show up in a nessus scan or similar.

If you look for errors beginning '2' you will see successful queries that found an object.

0 Likes
1 REPLY 1

RSAAdmin
Beginner
Beginner

‎2012-08-28 01:34 PM

The same concept can be used to detect abuse of SQL servers too.  In that case it would be "sql count 50-u" to detect when someone retrieves masses of data from a database.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.