Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About patpro
patpro
Explorer
Member since:
09-14-2014
10-31-2022
Community Statistics
| Posts | 11 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 09-14-2014 |
Activity Feed
- Posted Re: ldapfilter can't use fields from events on Splunk Search. 10-18-2022 01:03 AM
- Posted Re: ldapfilter can't use fields from events on Splunk Search. 06-06-2022 11:49 PM
- Posted Re: ldapfilter can't use fields from events on Splunk Search. 06-03-2022 08:47 AM
- Posted Re: ldapfilter can't use fields from events on Splunk Search. 06-03-2022 06:24 AM
- Posted ldapfilter - Why can't I use fields from events? on Splunk Search. 06-02-2022 10:52 PM
- Tagged ldapfilter - Why can't I use fields from events? on Splunk Search. 06-02-2022 10:52 PM
- Tagged ldapfilter - Why can't I use fields from events? on Splunk Search. 06-02-2022 10:52 PM
- Got Karma for How to set up an alert to detect login abuse and credential leaks using geographical and timing data?. 06-05-2020 12:47 AM
- Got Karma for Re: How to set up an alert to detect login abuse and credential leaks using geographical and timing data?. 06-05-2020 12:47 AM
- Got Karma for Re: How to set up an alert to detect login abuse and credential leaks using geographical and timing data?. 06-05-2020 12:47 AM
- Posted Re: How can I write a timechart search with transaction to compare sessions over time (John the Ripper logs)? on Splunk Search. 02-29-2016 01:58 PM
- Posted Re: How can I write a timechart search with transaction to compare sessions over time (John the Ripper logs)? on Splunk Search. 02-26-2016 12:18 PM
- Posted Re: How can I write a timechart search with transaction to compare sessions over time (John the Ripper logs)? on Splunk Search. 02-25-2016 10:14 AM
- Posted How can I write a timechart search with transaction to compare sessions over time (John the Ripper logs)? on Splunk Search. 02-24-2016 02:31 PM
- Tagged How can I write a timechart search with transaction to compare sessions over time (John the Ripper logs)? on Splunk Search. 02-24-2016 02:31 PM
- Tagged How can I write a timechart search with transaction to compare sessions over time (John the Ripper logs)? on Splunk Search. 02-24-2016 02:31 PM
- Tagged How can I write a timechart search with transaction to compare sessions over time (John the Ripper logs)? on Splunk Search. 02-24-2016 02:31 PM
- Posted Re: How to set up an alert to detect login abuse and credential leaks using geographical and timing data? on Dashboards & Visualizations. 09-24-2014 01:03 PM
- Posted How to set up an alert to detect login abuse and credential leaks using geographical and timing data? on Dashboards & Visualizations. 09-22-2014 01:56 PM
- Tagged How to set up an alert to detect login abuse and credential leaks using geographical and timing data? on Dashboards & Visualizations. 09-22-2014 01:56 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 |
10-18-2022
01:03 AM
Ok. The ldapfilter command was unable to work for me. So I've had to rethink the way I work. As my LDAP data would not change much on a daily basis, I've choose to create a lookup table every day (scheduled report, early morning) with the ldapsearch command. This lookup table contains all the info I need to replace the ldapfilter command and probably yields to better performances at runtime.
... View more
06-06-2022
11:49 PM
As I wrote earlier, defining "conv" as the whole search string yields to nothing better : either no result at all, or an error of invalid filter depending how hard I try to add quotes, escapes, etc.
... View more
06-03-2022
08:47 AM
Job inspector is of no help here as it has no access to what's going on inside SA-LdapSearch. So it shows that the ldapfilter command is using "$conv$" but does not show if it's expanded and with what value(s). tcpdump helps a lot: it tells me exactly what SA-LdapSearch is sending to the LDAP/AD server and what reply it got, will full LDAP protocol details. Anyway it's not enough for me (yet) to understand the different behaviors I have 😞
... View more
06-03-2022
06:24 AM
The $foo$ format is specific to this command. You can find examples in the documentation: https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.4/User/Theldapfiltercommand I've alreaady tried "conv" alone, "$$conv$$", and other things without any success so far. Currently I'm digging with tcpdump to try and pinpoint the difference between using $conv$ and using the value of conv directly. Anyway, now I can assure you that "$conv$" is properly replaced dynamically by the value of conv when the ldapfilter command kick's in, unfortunately the behavior of the command / the quality of the LDAP request seems to differ and I have an empty result in Splunk when I use "$conv$" instead of the value of conv. I've also tried to define "conv" as the whole search filter, without success, but now that I'm tcpdumping everything I might as well test again to see what changes…
... View more
06-02-2022
10:52 PM
Hello,
I'm trying to use ldapfilter to add some info to events I collect from MS Exchange but as soon as my ldapfilter query is dynamic (makes use of $field$) it does not return anything.
My initial search looks like this:
index=Exchange Mailboxes=* | rex "'?S:Mailboxes=(?<SMailboxes>[^']+)'?;'?S:StoreObjectIds" | makemv SMailboxes delim=";"
| mvexpand SMailboxes| top SMailboxes limit=50
| rex field=SMailboxes "(?<m1>..)(?<m2>..)(?<m3>..)(?<m4>..)-(?<m5>..)(?<m6>..)-(?<m7>..)(?<m8>..)-(?<m9>..)(?<m10>..)-(?<m11>..)(?<m12>..)(?<m13>..)(?<m14>..)(?<m15>..)(?<m16>..)"
| eval conv="\\\\" . m4 . "\\\\" . m3 . "\\\\" . m2 . "\\\\" . m1 . "\\\\" . m6 . "\\\\" . m5 . "\\\\" . m8 . "\\\\" . m7 . "\\\\" . m9 . "\\\\" . m10 . "\\\\" . m11 . "\\\\" . m12 . "\\\\" . m13 . "\\\\" . m14 . "\\\\" . m15 . "\\\\" . m16
| table SMailboxes,conv
And the result looks like this:
SMailboxes
conv
7409c768-ed1b-45dd-8d5d-d36e65af77c1
\\68\\c7\\09\\74\\1b\\ed\\dd\\45\\8d\\5d\\d3\\6e\\65\\af\\77\\c1
All good.
Things get wrong when I add ldapfilter:
index=Exchange Mailboxes=* | rex "'?S:Mailboxes=(?<SMailboxes>[^']+)'?;'?S:StoreObjectIds" | makemv SMailboxes delim=";"
| mvexpand SMailboxes| top SMailboxes limit=50
| rex field=SMailboxes "(?<m1>..)(?<m2>..)(?<m3>..)(?<m4>..)-(?<m5>..)(?<m6>..)-(?<m7>..)(?<m8>..)-(?<m9>..)(?<m10>..)-(?<m11>..)(?<m12>..)(?<m13>..)(?<m14>..)(?<m15>..)(?<m16>..)"
| eval conv="\\\\" . m4 . "\\\\" . m3 . "\\\\" . m2 . "\\\\" . m1 . "\\\\" . m6 . "\\\\" . m5 . "\\\\" . m8 . "\\\\" . m7 . "\\\\" . m9 . "\\\\" . m10 . "\\\\" . m11 . "\\\\" . m12 . "\\\\" . m13 . "\\\\" . m14 . "\\\\" . m15 . "\\\\" . m16
| table SMailboxes,conv
| ldapfilter debug=true domain="default" basedn="..." search="(msExchMailboxGuid=$conv$)" attrs="name"
-> the result is empty.
In the ldapfilter, if I replace "$conv$" with "\\68\\c7\\09\\74\\1b\\ed\\dd\\45\\8d\\5d\\d3\\6e\\65\\af\\77\\c1" then the query works and attribute "name" is properly returned and added to the table.
How can I make things work with $conv$ in order to have proper results (and not the same static "name" for every event) ?
I've tried so many combinations: from 1 to 4 \, with or without quotes/simple quotes, making $conv$ the whole "search" value, etc. Nothing works.
... View more
02-29-2016
01:58 PM
Hi @javiergn
No solution yet. The more I think about this problem the less I think Splunk can handle it.
Your query properly breaks log file into cracking sessions, and classifies events, which is fine. But from here I can't plot a timechart of cracked pwds (and even though, I would have to tune Splunk so it can handle +30-50K events per cracking session).
In the end of my second post, I've managed to explain a little bit more clearly what I'm trying to achieve. Tonight I've spent some time on awk/gnuplot to get the result I'm looking for.
It's rough, quick&dirty, probably won't scale very well, but the idea is here.
... View more
02-26-2016
12:18 PM
No concurrent sessions, it's only one at a time. I've just realized my mistake: the content of columns message_type and message_text are not always aligned (on a line to line basis), because message_text lines can be so long they wrap, yielding to apparent mismatch. Example in the picture :
My bad, no problem here.
... View more
02-25-2016
10:14 AM
Thanks javiergn, I guess I'm starting to understand how I could work without true transactions.
Unfortunately, as is, your code returns some very odd results that might be caused by the fact a single log file records many successive sessions. If I "zoom" to a period of time where I have only one session, the result is OK, apart from some limitation issues:
'stats' command: limit for values of field 'message_text' reached. Some values may have been truncated or ignored.
'stats' command: limit for values of field 'message_type' reached. Some values may have been truncated or ignored.
'stats' command: limit for values of field 'session_time' reached. Some values may have been truncated or ignored.
Ideally, the output would be a plot showing for each session the command line (legend for example) and number-of-cracked-pwd=f(time).
It means I need to be able to declare: while I'm inside an active session, title=my-command-line (or a part of my-command-line, like my wordlist, my passwd file…)
And then timechart count(Cracked) by title.
It's even better if I can plot every timechart with the same origin (hence every ploted session seems to start at the same time, allowing a better graphical comparison between them).
I know I can do this in just minutes with awk and gnuplot, but the result would be very static (and boring).
I've started to configure field extractions, but I'm not finished yet, I need to test every different cases (markov, incremental, wordlist, single, etc.).
... View more
02-24-2016
02:31 PM
Few days ago, a developer has added to John the Ripper the ability to timestamp every line of logs, allowing me to feed them to Splunk in order to derive statistics from this data.
JtR's logs are complex, starting with a header of several lines giving details about the current session:
2016-02-23T20:43:57+0100 1 0:00:00:00 Starting a new session
2016-02-23T20:43:57+0100 1 0:00:00:00 Loaded a total of 15151 password hashes with 15151 different salts
2016-02-23T20:43:57+0100 1 0:00:00:00 Sorting salts, for performance
2016-02-23T20:43:57+0100 1 0:00:00:00 Remaining 14755 password hashes with 14755 different salts
2016-02-23T20:43:57+0100 1 0:00:00:00 - Node numbers 1-4 of 4 (fork)
2016-02-23T20:43:57+0100 1 0:00:00:00 Command line: ./john --fork=4 --wordlist=password.lst --rules=JUMBO dump.txt
2016-02-23T20:43:57+0100 1 0:00:00:00 - UTF-8 input encoding enabled
2016-02-23T20:43:57+0100 1 0:00:00:00 - Passwords will be stored UTF-8 encoded in .pot file
...
After this header, each cracked password yields to a new line, and periodically an info line is printed:
2016-02-23T20:50:38+0100 2 0:00:06:41 + Cracked foo
2016-02-23T20:50:50+0100 1 0:00:06:53 + Cracked bar
2016-02-23T20:50:47+0100 3 0:00:06:49 + pot sync removed 2 hashes; Remaining 14583 hashes with 14583 different salts
The session can end by exhaustion (no more passwords, or no more candidates), or by interrupt (ctrl-c). Message is either:
2016-02-23T22:17:06+0100 2 0:01:33:09 Session completed
or
2016-02-24T11:03:47+0100 4 0:00:38:22 Session aborted
I would like to be able to track down and compare efficiency of different sessions. Each session has different parameters that can be read from the header ("Command line:" and other header log lines).
Efficiency can be measured as the number of "Cracked" in a given period of time. Difficulty for me is to make a timechart , chart, or stats calculation for each session from a single Splunk request so everything is displayed on one graph/chart.
I've started investigating transactions, that's quite easy with a first line containing "Starting a new session" and the last containing "Session *ted". But it seems I can't work inside a transaction to create timechart.
Any hint?
... View more
09-24-2014
01:03 PM
2 Karma
I've found a very interesting blog post dealing with this exact same question. The approach is smart: instead of using a time window, the request calculates the speed needed to move from one location to another. It simplifies the process a lot.
http://www.sedward5.com/detecting-credential-theft-using-splunk-geographic-information
Now I just need to learn how to create an alert based on query result.
... View more
09-22-2014
01:56 PM
1 Karma
Hello,
I'm a SPLUNK beginner and I would need some help finding a way to achieve my goal.
I gather various login events: user login on the SSO web portal, POP/IMAP access, SSH login, etc. Each kind of event comes from a different source, but for every one I get a timestamp, a user login, and an IP address.
I would like to be able to detect when:
the same user login is used from two (or more) locations,
far from each other (say 500km),
in a given time window (say 5 hours).
I've found similar interests in calculation of distance between events here on splunk>answers, but none goes as far as what I need. The calculation itself is only one aspect. I'm confident SPLUNK can handle this, but I'm not sure about the bigger picture. I have no idea how to proceed to create a dynamic time window for each successful user login, for example.
Ultimately I need the process to act as a real-time trigger for security alert.
I'm pretty sure it's very complex, and I don't expect a all-in-one solution. Any help is greatly appreciated.
... View more
