https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667288#M228925 <P>The dataset I am using is "Boss of the Sock Version 1" - "botsv1"</P><P>Index="botsv1"</P><P><STRONG>My assessment question is as follows:</STRONG><BR /><EM>Use a "wild card" search to find all passwords used against the destination IP. As a hint, you will need to use a specific <STRONG>http_method=</STRONG> as the attack was against a web server. You will also need to pipe the result into a search that uses the form_data field to search for user passwords within the <STRONG>form_data.</STRONG> What is the SPL statement used?</EM></P><P>&nbsp;</P><P><BR />Warning!<BR />My SPL may be all over the place but here it is:<BR /><BR />Index="botsv1" dest_ip="192.168.250.70"&nbsp;&nbsp;<SPAN>"http_method=POST form_data"*" source:"stream:http"</SPAN></P><P>| table form_data, src_ip, password<BR /><BR />I am very new here!<BR />Your help is much appreciated</P> Fri, 03 Nov 2023 11:25:04 GMT Mouseman123 2023-11-03T11:25:04Z https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667260#M228907 <P>I am very new to SPLUNK and practicing using the botsv1 index.</P><P>I need to use a "Wild Card" to find all the passwords used against a destination IP.</P><P>I know I need to use the<STRONG> http_method= Post&nbsp;</STRONG>and search for the user passwords within the <STRONG>form_data</STRONG> field.</P><P>I have been experimenting with the SPL command but no success as of yet</P> Fri, 03 Nov 2023 07:50:10 GMT https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667260#M228907 Mouseman123 2023-11-03T07:50:10Z https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667274#M228914 <P>Since everyone is not familiar with the data set you are referring to, please can you provide some examples of the events you are trying to find. Also, please share the SPL you have already tried, so we can see where you might be going wrong.</P> Fri, 03 Nov 2023 09:49:19 GMT https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667274#M228914 ITWhisperer 2023-11-03T09:49:19Z https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667288#M228925 <P>The dataset I am using is "Boss of the Sock Version 1" - "botsv1"</P><P>Index="botsv1"</P><P><STRONG>My assessment question is as follows:</STRONG><BR /><EM>Use a "wild card" search to find all passwords used against the destination IP. As a hint, you will need to use a specific <STRONG>http_method=</STRONG> as the attack was against a web server. You will also need to pipe the result into a search that uses the form_data field to search for user passwords within the <STRONG>form_data.</STRONG> What is the SPL statement used?</EM></P><P>&nbsp;</P><P><BR />Warning!<BR />My SPL may be all over the place but here it is:<BR /><BR />Index="botsv1" dest_ip="192.168.250.70"&nbsp;&nbsp;<SPAN>"http_method=POST form_data"*" source:"stream:http"</SPAN></P><P>| table form_data, src_ip, password<BR /><BR />I am very new here!<BR />Your help is much appreciated</P> Fri, 03 Nov 2023 11:25:04 GMT https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667288#M228925 Mouseman123 2023-11-03T11:25:04Z https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667289#M228926 <P>So, what events are returned from the first part of your search with http_method="POST"?</P> Fri, 03 Nov 2023 11:47:44 GMT https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/667289#M228926 ITWhisperer 2023-11-03T11:47:44Z https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/669694#M229632 <P>Sorry,</P><P>I assumed the dataset "botsV1" was very widely known.</P><P>Thankyou for responding to my question however I have been able to solve the issue.</P> Sat, 25 Nov 2023 02:10:51 GMT https://community.splunk.com/t5/Splunk-Search/splunk-wildcard-search/m-p/669694#M229632 Mouseman123 2023-11-25T02:10:51Z