topic Re: splunk in Splunk Enterprise

splunk

Ahmed_340 — Wed, 05 Jun 2024 06:43:19 GMT

hello i have installed DVWA in my xamp server . practiced some Sql attack on DVWA . after that i typed the following in Splunk search bar but its showing any result .

index=dvwa_logs (error OR "SQL Injection" OR "SQL Error" OR "SQL syntax") OR (sourcetype=access_combined status=200 AND (search_field="*' OR 1=1 --" OR search_field="admin' OR '1'='1")) | stats count by source_ip, search_field, host

Re: splunk

ITWhisperer — Wed, 05 Jun 2024 07:09:11 GMT

What is your question? (Subject "splunk" doesn't help narrow it down given that this is a community of Splunk users answering questions about Splunk-related issues!)

Please provide a description of what you are trying to achieve, some anonymised representative sample events, your current results from searches you have tried, and what your expected results would look like (with a description of the logic relating the sample events to the expected output, if appropriate).

Re: splunk

Ahmed_340 — Wed, 05 Jun 2024 07:22:41 GMT

i have installed DVWA over a xampp . done some cross site scripting now i want to detect that malicious activity in my splunk enterprise

iput the following command

index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined" ("' or 1=1; --" OR "admin' OR '1'='1") | stats count by source_ip, uri, _time

but not getting ant result

Re: splunk

ITWhisperer — Wed, 05 Jun 2024 08:21:02 GMT

The search you have posted is not valid - please share the actual search with minimal anonymisation. Please share in a code block </> to preserve spacing etc.

Re: splunk

Ahmed_340 — Wed, 05 Jun 2024 09:07:33 GMT

i am a newbie please help me to correct my code . tried to correct that with chatgpt. it said the code is ok

Re: splunk

Ahmed_340 — Wed, 05 Jun 2024 10:03:41 GMT

here is the fresh code

index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined" (" ' or 1=1; -- " OR " admin' OR '1'='1 ") | stats count by source_ip, uri, _time

still not working

i have injected

' or 1=1; --

this in the input field

Re: splunk

ITWhisperer — Wed, 05 Jun 2024 09:48:07 GMT

OK That's funny! ChatGPT! No wonder you still have issues! 🤣

Re: splunk

ITWhisperer — Wed, 05 Jun 2024 09:50:43 GMT

What is it you are trying to do? What is the "' or 1=1; --" supposed to be doing? Please share some anonymised representative events so we can see what you are dealing with (amazingly, we don't have access to your systems or your data!)

Re: splunk

Ahmed_340 — Wed, 05 Jun 2024 11:21:58 GMT

i have installed a vulnerable web application in my win 10 OS through xampp. now i have setup my splunk enterprise to test the effect of various attack on the target DVWA web application . or 1=1; -- this is a Sql injection attack

Re: splunk

Ahmed_340 — Wed, 05 Jun 2024 11:30:11 GMT

the following code 1' OR '1'='1'# these are the malicious code to get admin data and password. i want to find the anomaly that it causes the log through Splunk searchsample attack

Re: splunk

ITWhisperer — Wed, 05 Jun 2024 11:35:51 GMT

If you know when you injected it, can you find the raw event in the logs that Splunk has to see how it has been logged (then you'll know what to search for)?