Are these alerts generated by Internet-wide scanners performing mass scans? Or are they targeted attackers intentionally trying to break into your system? Without a way to filter out benign attacks and background noise, you run the risk of alert fatigue and ignoring what really matters.
Silencing the Internet is something that Andrew Morris knows best. His company GreyNoise reduces the noise generated by false positives — by contextualising alerts and allowing SOC teams to focus on the attacks that are targeting them specifically.
We’ve already had the pleasure of chatting with Andrew in our interview series, where you can learn more about GreyNoise and his approach to threat intelligence. Today he’ll show us his favorite ways of using GreyNoise to determine which logs are generated by noise and which are targeted scans, how to improve your threat intelligence using GN and more.
Follow us on Twitter to receive updates!Follow @SecurityTrails
ProTip 1: Swiftly differentiate between noise and targeted scans
1. Using the GN filter to figure out which logs are generated by noise
A common-use case for GreyNoise is to take a large set of IP addresses (perhaps from a SIEM query or parsed log file) and enrich them, to figure out how many are “noise” and how many are “not noise” or “targeted”.
We’ve built this function into our command line tool with the
greynoise filter. Use this feature to rapidly filter “noisy” IP addresses from log files, other tools, etc.
greynoise filter to comb through log files and only see entries that are generated by Internet background noise.
greynoise quick to quickly enrich thousands of IP addresses against GreyNoise:
# cat /var/log/auth.log | greynoise filter | wc -l
# cat /var/log/auth.log | greynoise filter --noise-only | wc -l # cat /var/log/auth.log | wc -l 8046 # cat /var/log/auth.log | greynoise filter | wc -l 3615
2. Looking up IPs GreyNoise knows about
You can also use the
greynoise filter feature to parse through unstructured log files, highlight noisy IP addresses, and suppress or specifically output event lines that were originated by internet-wide scanners or attackers.
Another use for GreyNoise is to analyze log files containing many IP addresses, to determine which tags and intentions were applied by GreyNoise. Use
greynoise analyze to sift through a log file, enrich IP addresses against greynoise, and only display the attributes of each IP address in aggregate.
This enables GreyNoise users to quickly identify log files that contain activity generated by malicious or benign internet scanners, allowing you to pay more (or less) attention to a given set of log files.
ProTip 2: Lookup more than one IP with the visualizer
The GreyNoise visualizer is a web interface that allows simple lookups and complex queries against our live-updating picture of Internet-wide scan and attack data.
Check out this screenshot of the GreyNoise visualizer. On the left we see the top aggregate fields of a given GreyNoise Query Language (GNQL) search. On the right we see summaries of any devices that GreyNoise has observed scanning or crawling the Internet, as well as the GreyNoise tags associated with them. If the devices are highlighted in red, that means they have been classified as malicious. Likewise, any devices highlighted in green are benign scanners and crawlers, like Google or Shodan.
ProTip 3: Andrew’s starred Github projects
Extract IOCs easily with Python
Visualization and reporting for anything in Postgres
Track cloud spend
Package Go applications
Make your iTerm2 look beautiful
Bring your dotfiles with you when you ssh somewhere
An all-around better Postgres Pager
ProTip 4: Better threat intelligence with GreyNoise integrations
Using GreyNoise integrations will allow you to further provide relevant and contextualized threat intelligence, in turn helping you find emerging threats in your distinctive environment:
- TheHive-Cortex Analyzer — TheHive is an open source cyber threat intelligence platform used to enrich dozens of different observables and integrate with hundreds of different technologies. GreyNoise integrates with TheHive to contextualize noisy alerts and identify compromised devices.
- MISP (Malware Information Sharing Platform) — MISP is a popular threat intelligence collaboration platform used to share information between teams and organizations.
- Spiderfoot — Spiderfoot is an open source OSINT platform with a hosted commercial offering.
ProTip 5: Use GreyNoise with Shodan
Shodan is an Internet-wide scanning search engine that indexes information on exposed ports and services across the entire Internet and makes the data available through both a web Interface and an API.
Shodan and GreyNoise have a data partnership where users can search for GreyNoise IPs from within the Shodan interface or API, using the
These IP addresses:
- Have open ports and services exposed to the Internet
- Are actively scanning or crawling the Internet. This is a higher confidence indicator that the IP addresses are infected.
Here’s a screenshot of a device with port 8083/TCP open running an HTTPs web server, that is also opportunistically scanning the Internet. This means there’s a good chance the device is compromised.
With Andrew’s tips, we’re sure you’ll be able to contextualise your threat data, know what matters and stay prepared for any emerging threats. Be sure to stay tuned for the next ProTips installment, featuring another industry expert who’ll let us in on tips and tricks to sharpen our cybersecurity skills. If you know who you’d like to see featured in ProTips, or think you’re the right person for this series, we look forward to hearing from you! Send us an email at hello@securitytrails.
Sign up for our newsletter!