Skip to content

Known Malicious Host

Once a malicious host and port are known, a query can be used against Sophos Linux Sensor's data to identify any hosts that have connected to the known malicious host. The list of hosts should be investigated further to determine the extent of the damage.

Required Tables

  • sensors
  • process_events
  • connections

Input Fields

The suspicious IP and port should replace the <KNOWN IP> and <KNOWN PORT> text in the query.

Returned Fields

Field Description
hostname Hostname of the servers connecting to a known bad address

Query

SELECT
    sensors.hostname
FROM connections
LEFT JOIN process_events USING(process_uuid)
LEFT JOIN sensors USING(sensor_id)
WHERE dst_addr = '<KNOWN IP>' AND dst_port = <KNOWN PORT>