Have a customer looking to find all outbound network traffic from a server and am looking to see if the Firewall logs in Rapid7 can be of any use.
Is there a certain query to use inside these logs for source IP destination ‘internet’? Sadly they do not have the license for the network flow module so this is what I settled on.
No experience with this system so if I’m way off base please let me know.
Yes you can typically leverage the direction field in firewall logs to show direction OUTBOUND and then filter for the source_address = IP_of_server
where(direction=OUTBOUND AND source_address=192.128.1.10)groupby(connection_status,destination_address)limit(10000)
David
Thank you. I’ll test this tomorrow.
You could take a look on its DNS queries in the Network Sensor DNS logs in order to check for extrange queries…
So the query David gave me works very well. Thanks for the assist.
The DNS queries sound interesting. Is there a way inside R7 to associate the IP to a FQDN (or closest we can get)?
Or is that something that would need to be done in a second step after the external IPs are gathered by the query?
edit: I ran nslookup on each and got little more than nothing. What is the best way to query the DNS logs?
In your DNS Query logs we will attribute IPs to hostnames, provided they are internal. We don’t map public IPs to FQDNs
Can you give us a dummy example so I know we are talking about the same thing?
David
David,
I think the outbound query you gave me provides the basics.
I did a bit of manipulation on it and I think we have a winner.
Thanks for the assist.