Splunk Search

Splunk search removing ../ automatically

AceOfSpades
Engager

I am currently working on a log and filtering data.

Splunk has identified uri_query as a field.

I have come across an event with the uri_query  field "src=../../../../wp-config.php".

However, when I try and search uri_query="src=../../../../wp-config.php", Splunk automatically removes "../../../".

This shortens the search to uri_query="src=wp-config.php", causing the search to return with no results.

Any help to solve the issue of "../../../" being removed would be appreciated! 

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try putting the search string in double quotes and escaping the (now) embedded double quotes

| makeresults
| eval _raw="blah blah url_query=\"src=../../../../wp-config.php\" blah blah"
| search "url_query=\"src=../../../../wp-config.php\""

AceOfSpades
Engager

Thank you for your help.

Unfortunately the issue is persisting.  I have tried manually searching for events using "View events" (see screenshot) however, after clicking, the search still removes "../" , leading to no results.

Before clicking "View events"Before clicking "View events"

After clicking "View events". Note "../" removed.After clicking "View events". Note "../" removed.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So the issue is with how the gui sets up the search not with the search itself (when it is modified with the escaped quotes as I showed)?

Which version of splunk are you using?

0 Karma

AceOfSpades
Engager

I was initially searching via the search bar using a method similar to yours. I have tried using the escape quotes as you suggested but again it removes "../". 

Version: 8.2.0

Build: e053ef3c985f

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...