Rules: Web Request to IP Address

Description

This rule detects HTTP requests sent directly to IP addresses, bypassing DNS. This could indicate an attacker is trying to circumvent detection mechanisms.

Additional Details

Detail	Value
Type	Templated Match
Category	Unknown/Other
Apply Risk to Entities	srcDevice_ip, srcDevice_hostname
Signal Name	Web Request to IP Address
Summary Expression	Web Request to IP: {{dstDevice_ip}}
Score/Severity	Static: 1
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.001

Vendors and Products

Amazon AWS - Web Application Firewall (WAF)
Bro - Bro
CheckPoint - URL Filtering
Cisco Systems - Meraki
Forcepoint - Web Security
Fortinet - Fortigate
Palo Alto Networks - Next Generation Firewall
Symantec - Proxy Secure Gateway
Symantec - Web Security Service
Zscaler - Nanolog Streaming Service

Fields Used

Origin	Field
Normalized Schema	dstDevice_ip_isInternal
Normalized Schema	http_method
Normalized Schema	http_url
Normalized Schema	listMatches
Normalized Schema	srcDevice_hostname
Normalized Schema	srcDevice_ip
Normalized Schema	srcDevice_ip_isInternal

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MATCH-S00557.md

MATCH-S00557.md

Rules: Web Request to IP Address

Description

Additional Details

Vendors and Products

Fields Used

Files

MATCH-S00557.md

Latest commit

History

MATCH-S00557.md

File metadata and controls

Rules: Web Request to IP Address

Description

Additional Details

Vendors and Products

Fields Used