Hi,
I am doing Boss of the SOC v1 and I stuck on question, where I need to use lookup. I imported .csv file ad here are my commands:
index=botsv1 dest=192.168.250.70 src="23.22.63.114" http_method=POST
| rex field=form_data "passwd=(?<passwd>[a-zA-Z]{6})"
| lookup coldplay.csv Song as passwd OUTPUTNEW song
Error I get:
That's because your coldplay.csv file doesn't contain a field named song. OUTPUT or OUTPUTNEW can only take what is found in the lookup. If your lookup contains a field name poem and you want to rename it song, you have to reference poem first, like
| lookup coldplay.csv Song AS passwd OUTPUTNEW poem AS song
This is how my .csv looks like. How can I find which fields I have? I thought name of the column is considered a field?
Yes, the field name is Song, not song. Also, if the lookup only contains one field, what do you expect to look up? The purpose of a lookup is to associate a known field value in search result to one or more field values that are only known in the lookup.
I am trying to do BotS and answer on question:
One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Which six character song is it?
Basically I am trying to import list of Coldplay songs in .csv and compare it with password used for brute force attack.
Here is the answer how the query should look like (probably?):
index=botsv1 sourcetype=stream:http form_data=*username*passwd* | rex field=form_data "passwd=(?<userpassword>\w+)" | eval lenpword=len(userpassword) | search lenpword=6 | eval password=lower(userpassword) | lookup coldplay.csv song as password OUTPUTNEW song | search song=* | table song
BTW. If you look at this website -theirs syntax with lookup and list that they attached in a link - this syntax just cannot work. I tested in my lab and it does not work. But you helped me to understand that last 'song' must be 'Song' 🙂 Thank you.
That's because your coldplay.csv file doesn't contain a field named song. OUTPUT or OUTPUTNEW can only take what is found in the lookup. If your lookup contains a field name poem and you want to rename it song, you have to reference poem first, like
| lookup coldplay.csv Song AS passwd OUTPUTNEW poem AS song