Re: How to search for DR string ../../../../ ??

ShinR · ‎08-13-2021

Hi everyone,

I just wanted to do a quick search in URLs requested in Splunk but cannot get the directory traversal string (../../../../ o similar) to stick - it gets stripped from the query. I've tried using quotes and it seems escaping shouldn't be necessary.

Any suggestions?

Thanks

richgalloway · ‎08-13-2021

Please share the troublesome query.

---
If this reply helps you, Karma would be appreciated.

ShinR · ‎08-13-2021

Sorry, here's a simple example:

index=* url="*../../../../*"

or

index=* "../../../../"

richgalloway · ‎08-13-2021

I believe the problem is attempting to search for a string of minor blocker characters. You may have better luck using a separate where command.

index=foo ```Always use explicit index names```
| where like(url, "../../../../%") ```Like is used instead of match to avoid escaping every character```

---
If this reply helps you, Karma would be appreciated.

ShinR · ‎08-13-2021

Thanks again for the suggestion. Unfortunately everything between the * and the % gets stripped when I execute the search.

richgalloway · ‎08-13-2021

The asterisk was a typo. Please try again without it.

---
If this reply helps you, Karma would be appreciated.

ShinR · ‎08-16-2021

Same result unfortunately... does the same thing not happen on your splunk instance?

richgalloway · ‎08-16-2021

It does not happen on my instance (8.1.2)

---
If this reply helps you, Karma would be appreciated.

NatSec · ‎12-16-2021

I have the same issue on Splunk v8.2.1

Any solution please?

How to search for DR string ../../../../ ??

lookup

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!