Hi everyone:
I found a large number of POST events in my Zabbix in the SIEM system. The following is LOG. How do I track the cause of the event?
================================================== ================================================== =========================
2019 Nov 28 10:49:54 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:49:52 +0800] "POST /zabbix/zabbix.php?sid=c912fd71a976af0f&action=widget.svgg raph.view HTTP/1.1" 200 27611 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:06 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client B IP - - [28/Nov/2019:10:50:05 +0800] "POST /zabbix/zabbix.php?action=notifications.get&sid=7b1ea5d2c4 1f7557&output=ajax HTTP/1.1" 200 424 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:28 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client C IP- - [28/Nov/2019:10:50:27 +0800] "POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1" 200 66 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:36 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:50:34 +0800] "POST /zabbix/zabbix.php?sid=c912fd71a976af0f&action=widget.svgg raph.view HTTP/1.1" 200 4087 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:36 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:50:35 +0800] "POST /zabbix/zabbix.php?sid=c912fd71a976af0f&action=widget.svgg raph.view HTTP/1.1" 200 4325 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:56 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:50:56 +0800] "POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1" 200 65 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:51:06 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client B IP - - [28/Nov/2019:10:51:05 +0800] "POST /zabbix/zabbix.php?sid=7b1ea5d2c41f7557&action=widget.svgg raph.view HTTP/1.1" 200 194890 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:51:26 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client C IP- - [28/Nov/2019:10:51:25 +0800] "POST /zabbix/zabbix.php?action=notifications.get&sid=8c2bed95b9 39421f&output=ajax HTTP/1.1" 200 424 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
I found a large number of POST events in my Zabbix in the SIEM system. The following is LOG. How do I track the cause of the event?
================================================== ================================================== =========================
2019 Nov 28 10:49:54 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:49:52 +0800] "POST /zabbix/zabbix.php?sid=c912fd71a976af0f&action=widget.svgg raph.view HTTP/1.1" 200 27611 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:06 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client B IP - - [28/Nov/2019:10:50:05 +0800] "POST /zabbix/zabbix.php?action=notifications.get&sid=7b1ea5d2c4 1f7557&output=ajax HTTP/1.1" 200 424 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:28 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client C IP- - [28/Nov/2019:10:50:27 +0800] "POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1" 200 66 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:36 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:50:34 +0800] "POST /zabbix/zabbix.php?sid=c912fd71a976af0f&action=widget.svgg raph.view HTTP/1.1" 200 4087 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:36 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:50:35 +0800] "POST /zabbix/zabbix.php?sid=c912fd71a976af0f&action=widget.svgg raph.view HTTP/1.1" 200 4325 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:50:56 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client A IP - - [28/Nov/2019:10:50:56 +0800] "POST /zabbix/jsrpc.php?output=json-rpc HTTP/1.1" 200 65 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=13" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:51:06 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client B IP - - [28/Nov/2019:10:51:05 +0800] "POST /zabbix/zabbix.php?sid=7b1ea5d2c41f7557&action=widget.svgg raph.view HTTP/1.1" 200 194890 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
2019 Nov 28 10:51:26 (Zabbix IP) Zabbix IP->/var/log/httpd/access_log
Rule: 31533 (level 10) -> 'High amount of POST requests in a small period of time (likely bot).'
Client C IP- - [28/Nov/2019:10:51:25 +0800] "POST /zabbix/zabbix.php?action=notifications.get&sid=8c2bed95b9 39421f&output=ajax HTTP/1.1" 200 424 "http://Zabbix IP/zabbix/zabbix.php?action=dashboard.view&dashboardid=8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
Comment