Re: How do i find base64 strings within a field: e...

leotoa · ‎09-17-2018

hello,

i'm trying to list URIs with base64 strings in them of at least 24 characters (i havent got to the length bit of the search):

search:

source=logdata1 uri=* | fields uri | regex uri="[a-z-A-Z0-9+/]{4}|[a-z-A-Z0-9+/]{3}=|[a-z-A-Z0-9+/]{2}==" | stats count by uri

This brings back pretty much EVERY URI, LOL.

Please can we identify a way to say the base64 length is no less than 24 characters?

msivill_splunk · ‎09-18-2018

Does this help you get closer?

| makeresults count=5 
| streamstats count 
| eval uri = CASE ( count==1,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",count==2,"bbbbbbbbbb",count==3,"ccccccccccccccccccccccccccccccccccc",count==4,"dddddd",count==5,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ) 
| fields uri
| regex uri="[a-z-A-Z0-9+/]{4}|[a-z-A-Z0-9+/]{3}=|[a-z-A-Z0-9+/]{2}==" 
| eval uri_len = len(uri) 
| where uri_len > 24 
| stats count by uri

I'm using some self contained SPL to generate the data so this will need to be tweaked for your example

How do i find base64 strings within a field: eg URI=/something1/something2/something3_base64_string etc

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?