splunk

Ahmed_340 · ‎06-04-2024

hello i have installed DVWA in my xamp server . practiced some Sql attack on DVWA . after that i typed the following in Splunk search bar but its showing any result .

index=dvwa_logs (error OR "SQL Injection" OR "SQL Error" OR "SQL syntax") OR (sourcetype=access_combined status=200 AND (search_field="*' OR 1=1 --" OR search_field="admin' OR '1'='1")) | stats count by source_ip, search_field, host

Ahmed_340 · ‎06-05-2024

i have installed DVWA over a xampp . done some cross site scripting now i want to detect that malicious activity in my splunk enterprise

iput the following command

index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined" ("' or 1=1; --" OR "admin' OR '1'='1") | stats count by source_ip, uri, _time

but not getting ant result

ITWhisperer · ‎06-05-2024

The search you have posted is not valid - please share the actual search with minimal anonymisation. Please share in a code block </> to preserve spacing etc.

Ahmed_340 · ‎06-05-2024

here is the fresh code

index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined"
(" ' or 1=1; -- " OR " admin' OR '1'='1 ")
| stats count by source_ip, uri, _time

still not working

i have injected

' or 1=1; --

this in the input field

ITWhisperer · ‎06-05-2024

What is it you are trying to do? What is the "' or 1=1; --" supposed to be doing? Please share some anonymised representative events so we can see what you are dealing with (amazingly, we don't have access to your systems or your data!)

Ahmed_340 · ‎06-05-2024

the following code 1' OR '1'='1'# these are the malicious code to get admin data and password. i want to find the anomaly that it causes the log through Splunk searchsample attack

ITWhisperer · ‎06-05-2024

If you know when you injected it, can you find the raw event in the logs that Splunk has to see how it has been logged (then you'll know what to search for)?

Ahmed_340 · ‎06-05-2024

i have installed a vulnerable web application in my win 10 OS through xampp. now i have setup my splunk enterprise to test the effect of various attack on the target DVWA web application . or 1=1; -- this is a Sql injection attack

Ahmed_340 · ‎06-05-2024

i am a newbie please help me to correct my code . tried to correct that with chatgpt. it said the code is ok

ITWhisperer · ‎06-05-2024

OK That's funny! ChatGPT! No wonder you still have issues! 🤣

ITWhisperer · ‎06-05-2024

What is your question? (Subject "splunk" doesn't help narrow it down given that this is a community of Splunk users answering questions about Splunk-related issues!)

Please provide a description of what you are trying to achieve, some anonymised representative sample events, your current results from searches you have tried, and what your expected results would look like (with a description of the logic relating the sample events to the expected output, if appropriate).

splunk

using Splunk Enterprise

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability