Splunk Search

How do i find base64 strings within a field: eg URI=/something1/something2/something3_base64_string etc

leotoa
New Member

hello,

i'm trying to list URIs with base64 strings in them of at least 24 characters (i havent got to the length bit of the search):

search:

source=logdata1 uri=* | fields uri | regex uri="[a-z-A-Z0-9+/]{4}|[a-z-A-Z0-9+/]{3}=|[a-z-A-Z0-9+/]{2}==" | stats count by uri

This brings back pretty much EVERY URI, LOL.

Please can we identify a way to say the base64 length is no less than 24 characters?

Tags (4)
0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

Does this help you get closer?

| makeresults count=5 
| streamstats count 
| eval uri = CASE ( count==1,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",count==2,"bbbbbbbbbb",count==3,"ccccccccccccccccccccccccccccccccccc",count==4,"dddddd",count==5,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ) 
| fields uri
| regex uri="[a-z-A-Z0-9+/]{4}|[a-z-A-Z0-9+/]{3}=|[a-z-A-Z0-9+/]{2}==" 
| eval uri_len = len(uri) 
| where uri_len > 24 
| stats count by uri

I'm using some self contained SPL to generate the data so this will need to be tweaked for your example

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...