Known Malicious Host
Once a malicious host and port are known, a query can be used against Sophos Linux Sensor's data to identify any hosts that have connected to the known malicious host. The list of hosts should be investigated further to determine the extent of the damage.
Required Tables
- sensors
- process_events
- connections
Input Fields
The suspicious IP and port should replace the <KNOWN IP>
and <KNOWN PORT>
text in the query.
Returned Fields
Field | Description |
---|---|
hostname | Hostname of the servers connecting to a known bad address |
Query
SELECT
sensors.hostname
FROM connections
LEFT JOIN process_events USING(process_uuid)
LEFT JOIN sensors USING(sensor_id)
WHERE dst_addr = '<KNOWN IP>' AND dst_port = <KNOWN PORT>