Example SQL Queries
SSH login attempts
SELECT
ipv4_src_ip,
metadata_organization,
gn_classification,
gn_seen,
timestamp
FROM
sensor_data
WHERE
tcp_dst_port = 22
AND LENGTH(tcp_data) >= 46
AND SUBSTRING(tcp_data, 1, 2) = '32'
Top HTTP Requests
SELECT
from_utf8(from_hex(tcp_data)) as raw_data,
http_request_url,
http_request_method,
http_request_body,
http_response_status
FROM
sensor_data
WHERE
length(http_request_url) >= 1
or length(http_response_status) >= 1
limit
100
Identify exploitation of TP-Link CVE-2022-30075
SELECT
*
FROM
sensor_data
WHERE
http_request_url like '/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$%'
order by
timestamp desc
Identify any traffic with malicious-looking strings in their requests
SELECT
*
FROM
sensor_data
WHERE
(
from_utf8(FROM_HEX(tcp_data)) LIKE '%curl%'
OR from_utf8(FROM_HEX(tcp_data)) LIKE '%wget%'
OR from_utf8(FROM_HEX(tcp_data)) LIKE '%/bin/bash%'
OR from_utf8(FROM_HEX(tcp_data)) LIKE '%/bin/sh%'
OR from_utf8(FROM_HEX(tcp_data)) LIKE '%ping%'
OR from_utf8(FROM_HEX(udp_data)) LIKE '%curl%'
OR from_utf8(FROM_HEX(udp_data)) LIKE '%wget%'
OR from_utf8(FROM_HEX(udp_data)) LIKE '%/bin/bash%'
OR from_utf8(FROM_HEX(udp_data)) LIKE '%/bin/sh%'
OR from_utf8(FROM_HEX(udp_data)) LIKE '%ping%'
)
Return IPs tagged as malicious by GreyNoise General Fleet by country and organization
select
count(*) as hits,
count(distinct ipv4_src_ip) as ips,
metadata_organization,
metadata_country
from
sensor_data
where
gn_classification = 'malicious'
group by
3,
4
order by
2 desc
Identify HTTP BASIC credential stuffers and which credentials they are attempting
WITH
extracted_credentials AS (
SELECT
metadata_organization,
metadata_country,
metadata_city,
gn_seen,
ipv4_src_ip,
CAST(
FROM_UTF8 (FROM_BASE64 (SPLIT_PART (header.value, ' ', 2))) AS VARCHAR
) AS credentials
FROM
sensor_data
CROSS JOIN UNNEST (http_request_headers) AS t (header)
WHERE
header.key = 'Authorization'
AND header.value LIKE 'Basic %'
)
SELECT
COUNT(*) AS usage_count,
metadata_organization,
metadata_country,
metadata_city,
gn_seen,
ipv4_src_ip,
credentials
FROM
extracted_credentials
GROUP BY
metadata_organization,
metadata_country,
metadata_city,
gn_seen,
ipv4_src_ip,
credentials
ORDER BY
usage_count DESC;
Identify scanners with benign-seeming rdns or user agents that have not been seen by GreyNoise global fleet
SELECT
count(*) as hits,
ipv4_src_ip,
metadata_rdns,
metadata_organization,
metadata_country,
metadata_city
FROM
sensor_data
WHERE
(
metadata_rdns LIKE '%scan%'
OR metadata_rdns LIKE '%monitor%'
OR metadata_rdns LIKE '%robot%'
OR metadata_rdns LIKE '%security%'
OR metadata_rdns LIKE '%crawl%'
OR metadata_rdns LIKE '%research%'
) and gn_seen = false
group by 2, 3, 4, 5, 6 order by 1 desc
Identify scanners using the same hard-coded user agents as Mirai
SELECT *
FROM sensor_data
CROSS JOIN UNNEST(http_request_headers) AS t (header)
WHERE header.key = 'User-Agent'
AND header.value IN (
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7'
);
Top HTTP user agents
SELECT count(*) as hits,
count(distinct ipv4_src_ip) as ips,
header.value AS user_agent
FROM sensor_data
CROSS JOIN UNNEST(http_request_headers) AS t (header)
WHERE header.key = 'User-Agent'
group by header.value
order by hits desc;
Identify scanning or exploitation of Cisco devices:
select *
from sensor_data
where (
http_request_url like '/+CSCOE+/%'
OR http_request_url like '/webui/%'
)
Top 10 Most Active Source IPs
SELECT
ipv4_src_ip,
COUNT(*) AS activity_count
FROM
sensor_data
GROUP BY
ipv4_src_ip
ORDER BY
activity_count DESC
LIMIT
10;
Most common ports used in TCP scans
SELECT
tcp_dst_port,
COUNT(*) AS syn_count
FROM
sensor_data
WHERE
tcp_syn = true
AND tcp_ack_flag = false
GROUP BY
tcp_dst_port
ORDER BY
syn_count DESC
LIMIT
10;
Identify Traffic from Known Malicious Actors
SELECT
ipv4_src_ip,
gn_actor,
COUNT(*) AS hit_count
FROM
sensor_data
WHERE
gn_classification = 'malicious'
GROUP BY
ipv4_src_ip,
gn_actor
ORDER BY
hit_count DESC;
Frequent HTTP Methods by Source IP
SELECT
ipv4_src_ip,
http_request_method,
COUNT(*) AS method_count
FROM
sensor_data
WHERE
length(http_request_method) >= 1
GROUP BY
ipv4_src_ip,
http_request_method
ORDER BY
method_count DESC;
Apache Struts CVE-2018-11776 Worm
SELECT *
FROM sensor_data
WHERE ipv4_protocol = 'TCP'
AND http_request_url LIKE '%memberAccess%allowStaticMethodAccess%true%';
Atlassian Jira Seraph Authentication Bypass Attempt
SELECT *
FROM sensor_data
WHERE http_request_url LIKE '%/plugins/servlet/seraph%authentication%';