Known Malicious Host
Once a malicious host and port are known, a query can be used against Sophos Linux Sensor's data to identify any hosts that have connected to the known malicious host. The list of hosts should be investigated further to determine the extent of the damage.
The suspicious IP and port should replace the
<KNOWN IP> and
<KNOWN PORT> text in the query.
|hostname||Hostname of the servers connecting to a known bad address|
SELECT sensors.hostname FROM connections LEFT JOIN process_events USING(process_uuid) LEFT JOIN sensors USING(sensor_id) WHERE dst_addr = '<KNOWN IP>' AND dst_port = <KNOWN PORT>