Kubernetes Nginx Ingress RFI
Description
This search uses the Kubernetes logs from a nginx ingress controller to detect remote file inclusion attacks.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-08-23
- Author: Patrick Bareiss, Splunk
- ID: fc5531ae-62fd-4de6-9c36-b4afdae8ca95
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 13
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
12
`kubernetes_container_controller`
| rex field=_raw "^(?<remote_addr>\S+)\s+-\s+-\s+\[(?<time_local>[^\]]*)\]\s\"(?<request>[^\"]*)\"\s(?<status>\S*)\s(?<body_bytes_sent>\S*)\s\"(?<http_referer>[^\"]*)\"\s\"(?<http_user_agent>[^\"]*)\"\s(?<request_length>\S*)\s(?<request_time>\S*)\s\[(?<proxy_upstream_name>[^\]]*)\]\s\[(?<proxy_alternative_upstream_name>[^\]]*)\]\s(?<upstream_addr>\S*)\s(?<upstream_response_length>\S*)\s(?<upstream_response_time>\S*)\s(?<upstream_status>\S*)\s(?<req_id>\S*)"
| rex field=request "^(?<http_method>\S+)?\s(?<url>\S+)\s"
| rex field=url "(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| search dest_ip=*
| rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy
| eval phase="operate"
| eval severity="medium"
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, dest_ip status, url, http_method, host, http_user_agent, proxy, phase, severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `kubernetes_nginx_ingress_rfi_filter`
Macros
The SPL above uses the following Macros:
kubernetes_nginx_ingress_rfi_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- raw
How To Implement
You must ingest Kubernetes logs through Splunk Connect for Kubernetes.
Known False Positives
unknown
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
49.0 | 70 | 70 | Remote File Inclusion Attack detected on $host$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://github.com/splunk/splunk-connect-for-kubernetes
- https://www.invicti.com/blog/web-security/remote-file-inclusion-vulnerability/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1