Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex field extraction

zacksoft_wf
Contributor
‎04-19-2023 03:50 AM

I have a field called 'description'. I want to be able to extract MD5, SHA1, SHA256 values present in this field.
Need help with regular expression. Here is an example of the field value. It's pretty huge. Towards the last you will notice MD5, SHA1, SHA256 values.

Example:
============

Family: alien

alien is a credential theft malware designed to run on a mobile phone running the Android operating system. This malware will attempt to monitor the users activities and steal their data by either logging keystrokes, copying their clipboard content or applying a overlay on top of legitimate applications the malware is instructed to monitor for.

Pattern(s) extracted from web_inject config for this family:

com.wf.Tubeswatermobile


Infrastructure: hxxp://yektkedecaedem.shop
Type: CNC

Infrastructure purpose: A CNC is the interface between the botnet and the threat actor, allowing the threat actor to send commands, exfiltrate data and manage an infected machine.

 

 

Virustotal Report: https://www.virustotal.com/gui/url/b2eba8fb7266c50f23d71d1ref5c5df663962eccf1420d59a14ee2hb5005f6fb/...

Associated Payload Hashes:
MD5 9fagf968da04a2bb464f4842ebd1bd29
SHA1 0bacdak9d1a7dbb975759d687645006f875a388b
SHA256 ba57be868c89b4a342c412c066dc58ed9a888f8009ec512917004380d8e8233e

http://yeytledfcaeden.shop


============

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-19-2023 03:56 AM

Hi @zacksoft_wf , try the following rex that will create 3 fields, one for each hash.

 

 

 

| rex field=description "(?ms)MD5\s+(?<md5>\w+)\s+SHA1\s+(?<sha1>\w+)\s+SHA256\s+(?<sha256>\w+)"

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-19-2023 03:56 AM

Hi @zacksoft_wf , try the following rex that will create 3 fields, one for each hash.

 

 

 

| rex field=description "(?ms)MD5\s+(?<md5>\w+)\s+SHA1\s+(?<sha1>\w+)\s+SHA256\s+(?<sha256>\w+)"

 

 

 

0 Karma
Reply
Solved! Jump to solution

zacksoft_wf
Contributor
‎04-19-2023 04:21 AM

Thank you. May I ask what the "?ms"  is for?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-19-2023 04:59 AM

Hi @zacksoft_wf,

it's used when the log is multirow.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...