#Finding the Unknown with HTTP URIs
Purpose: Identify things signatures have not been created for in relation to network traffic behavior.
Data Required: Proxy logs, IDS, web server logs
Analysis Techniques: Stack counting, String matching, tokenization, outlier detection, regex
If you collect your proxy logs in a central location, similar to user agent analysis, you can perform queries against the URI to identify patterns of malicious and suspicious activity leaving the environment. Ingress monitoring (proxy or web server logs) is also key for monitoring attackers performing attempts against web servers using suspicious requests. Similar to creating IDS signatures for detecting suspicious behavior, can perform that against mass amounts of data quickly to identify potential export of identifiable information.
Examples of types of URI's to look for:
- OWASP Top 10
- Credit card strings
- Computer GUID
- Username GUID
- Base64 Encoded
- Encoded with something
- OWASP Top 10, OWASP Project
- Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems, Tsung-Huan Cheng, Ying-Dar Lin, Senior Member, IEEE, Yuan-Cheng Lai, and Po-Ching Lin, Member, IEEE