Based on the globally shared white hat security asset library, Log Service provides security check functions that you can use to check whether an IP address, domain name, or URL in logs is secure.

Scenarios

  • Some enterprises and organizations have strong requirements on service maintenance, such as companies that focus on Internet, game, and information. The IT, security, and maintenance personnel of these companies can use security check functions to filter suspicious access and protect the companies from network attacks and intrusions. In addition, they can use the security check functions to perform in-depth analysis and take measures for defense.
  • Some enterprises and organizations have strong requirements on the security of internal assets, such as banks, securities companies, and e-commerce companies. The IT, security, and maintenance personnel of these enterprises and organizations can use security check functions to detect and prevent risky behavior, such as accessing websites with security risks and downloading Trojans.

Features

  • Reliable: relies on the global shared white hat security asset library that updates in a timely manner.
  • Fast: takes only a few seconds to detect millions of IP address, domain names, or URLs.
  • Simple: supports any type of network logs. The result can be obtained by calling three SQL functions: security_check_ip, security_check_domain, and security_check_url.
  • Flexible: supports both interactive queries and creation of report views. You can configure alerts and take further action.

Functions

Function Description Example
security_check_ip Checks whether the IP address is secure. One of the following values is returned:
  • 1: Hit, indicating that the IP address is insecure.
  • 0: Miss.
select security_check_ip(real_client_ip)
security_check_domain Checks whether the domain name is secure. One of the following values is returned:
  • 1: Hit, indicating that the IP address is insecure.
  • 0: Miss.
select security_check_domain(site)
security_check_url Checks whether the URL is secure. One of the following values is returned:
  • 1: Hit, indicating that the IP address is insecure.
  • 0: Miss.
select security_check_domain(concat(host, url))

Examples

  • Detect suspicious external access and generate reports

    An e-commerce company collects logs from the NGINX server operated by itself, and wants to check whether clients access the server over insecure IP addresses. In this case, pass the Client IP field in the logs to security_check_ip as input parameters. Filter the IP addresses for which value 1 is returned, and display the country and ISP of the IP address.

    The query statement is as follows:

    * | select ClientIP, ip_to_country(ClientIP) as country, ip_to_provider(ClientIP) as provider, count(1) as PV where security_check_ip(ClientIP) = 1 group by ClientIP order by PV desc
    Specify map view display, as shown in the following figure.Maps
  • Detect suspicious internal access and configure alerts
    For example, a securities company collects network traffic logs recorded when its internal devices access the Internet through a gateway proxy. To check if someone has accessed websites with security risks, use the following query statement:
    * | select client_ip, count(1) as PV where security_check_ip(remote_addr) = 1 or security_check_site(site) = 1 or security_check_url(concat(site, url)) = 1 group by client_ip order by PV desc
    You can also save this statement as a quick query and configure an alert. When a client access websites with security risks frequently, the alert is triggered. You can set the search period to 5 minutes to check whether someone has accessed websites with security risks frequently (more than 5 times) in the past hour, as shown in the following figure.Configure alerts