Re: Show events with certain frequency

ernestpoon · ‎01-23-2019

Hi guys, I have an Apache log (with only few information) and I would like to find out the possible events related to brute force password attack.

I am considering to find the login page access records which happened rapidly within three seconds. For example (just an example), if there are the following events:

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:20:36 -0700] "GET /config.php HTTP/1.0" 200 2326 "http://www.example.com/dashboard.php"
127.0.0.1 - frank [10/Oct/2000:13:10:00 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"

The result will be:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"

What should the code be?
I will be able to count the number of password attack occur and plot a time chart showing the attack pattern, after solving this problem.
Thanks.

dkeck · ‎01-24-2019

HI,

did you try to use | timechart count span=3s ? This will give you a lot of spikes in timechart graph but it will group your events in a 3 s intervall. You should only use this with a short time periode

mayurr98 · ‎01-24-2019

Hi can you try this :

Number of Password Attacks:

index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | stats count as "Password Attacks"

Plotting it in Timechart:

index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"

change span according to your need.
let me know if this helps!

ernestpoon · ‎01-24-2019

Hi, thank you for your advice. timechart span=3s count as "Password Attacks" is useful! However, it seems that the rex part has some mistakes so there's an error telling me "Search Factory: Unknown search command 'post'."

mayurr98 · ‎01-24-2019

Try this :

index=<your_index> | rex field=_raw "\s\"GET\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"

ernestpoon · ‎01-25-2019

The error disappeared. But no result is shown.
I am now trying specify the url_path instead of using regular expression. However, I cannot save the timechart to a dashboard. Do you know why?

Show events with certain frequency

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation