When running across an unknown IP address in the logs, the first move might be to check the IP address’s reputation through a number of services. This check is useful for the immediate task at hand, but what if you could see not only reputation reports but see, at a granular level, when and what is causing this reputation? That’s where GreyNoise comes in.
Alongside the common fields of a GreyNoise IP address page’s located in the Visualizer (which include relevant DNS information, destination sites, and other data), GreyNoise now has a feature called the IP Timeline. The IP Timeline displays activity as seen by GreyNoise sensors of a particular IP Address over the past thirty days. Let’s take a look at an IP address and explore this tool further.
Getting Started – IP address page
When an IP address is entered into the GreyNoise search box, if GreyNoise has observed scan activity from the IP, you will receive an IP Address page detailing data and related tags:
In this example (IP address 22.214.171.124), an opportunistic scanner appears to be crawling for SMBv1 endpoints and trying to brute force MSSQL servers.
Within the fields displayed are which ports this address scans, any associated fingerprints and what kinds of web requests the IP is known to make. In this case, GreyNoise does not have a lot of fingerprint and request data. So, how can we know for sure that this IP address is still active and malicious?
This is where the IP Timeline feature comes into play. Next to the summary of the IP address, there’s a tab labeled ‘timeline’. Let’s click that and see what we find:
Voila! The page has gone from an overview of the IP address to discrete data points showing when, exactly, GreyNoise has noticed activity. Consecutive days of the same activity are connected by a line.
Each data point GreyNoise has for the IP address is a field along the Y axis, and each day that GreyNoise notices it is the X axis. You can see respective fields and dates along the left and top sides of the graph. In this example, you can see that on the 1st of January there is SMBv1 crawling observed. Then, on the 2nd, there’s MSSQL brute force attempts. The SMBv1 crawling has an unknown intention so it’s listed as white, while the MSSQL brute force attempts are highlighted in red as they are tagged as malicious activity.
How is this useful?
This graph can be used for more than just a quick check on an IP address. For example: you are running an MSSQL server and found this IP address in your logs. Seeing somebody trying to brute force your server can be a nerve-wracking experience! However, by checking this graph you can see that this address attempts to brute force every 8 days on the dot, implying an automated process. That’s still not great, but it’s less scary than a concerted human effort. From there, you could make the call to block at the firewall or you could make sure your passwords aren’t on any well-known word lists and continue to observe the IP address.
Additionally, if you are looking for behavior patterns on an IP address, this graph could come in handy. In this example, we only see two cases where the IP address crawls SMBv1 and then attempts to brute force the next day but, if this was a consistent pattern, this may be indicative of a pattern used when deciding which hosts to try and brute force. You could then use that information to pivot into checking your SMB logs for anything suspicious.
GreyNoise is always looking for new ways to bring as much value as possible. IP Timeline data is only one part of a much bigger ecosystem you can integrate into your processes and investigations. Try it out yourself by signing up for our *enterprise trial or contact us to schedule a more in depth demo.
(*Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)