3

I have some HTTP logs where I see the hacker changing his IP every request, and occasionally changing his useragent.

Is there a way to detect this automatically? Perhaps a snort rule? or any other way?

user77568
  • 41
  • 3
  • 1
    If the request show some specific pattern (like the same invalid URL) then you can design the rule matching this pattern. However, if there is no such pattern (and chances are that there are none since you mentions that he takes the precaution to change both IP address and user-agent) then I fear there won't be any reliable way to distinguish hacker's requests from legitimate ones. – WhiteWinterWolf May 29 '15 at 14:34
  • He's accessing legitimate pages. Let's say he visits page test.html from one IP, sessionID=1234 and chrome, then in the next second, he comes back with a different IP, sessionID=1234 from the same useragent. Is there a way to say, if the session has a different user agent or IP, flag it? – user77568 May 29 '15 at 14:36
  • TOR can display this behaviour. A valid user rotates their IP during the same session. – schroeder May 29 '15 at 18:08

1 Answers1

2

A lot of websites tie the session ID to the IP address, so a session valid ID valid associated to on IP address will be considered as invalid if presented by another IP address.

A more permissive approach might be, instead of blocking such access to simply log them and if needed send a warning to appropriate persons.

Be aware that some privacy protection tools rotate the IP address used (automatically switching from one proxy to another each n seconds for instance) and maskerade browser's user agent while keeping cookies and session information to allow normal browsing. Such tool will produce exactly the behavior you describe while not necessarily be used with any malicious intentions.

The measure indicated in the first paragraph will prevent people using such tool to access to your services. It's up to you, depending on your policy, to decide what attitude to adopt under such circumstances: block, warn, or simply log.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104