I'm an analyst and have the following question:
Does anyone know how you would make a query which will provide filenames and extensions to look for potentially malicious extension headers which aren't what they say they are. I am developing use case content within Splunk and have access to bro, wineventlog and cisco related sourcetypes. I am by no means a splunk ninja but would like help figuring out how to show file headers within Splunk so I can do security analysis.
Thanks,
Max
Not sure about the data you have. But if you know the list of malicious extensions you can do something like..
An example search if you are going to base on extension. Add your own extension list for risky files
|makeresults | eval string="hello hello. hello.csv hello.htm hello.html hello.shtml hello.csv /var/log/hello.htm.jpg hello.jpg.csv.htm hello.htm.js"| makemv string| rex field=string "(?<fullstring>.*\.(?:(?<problematicExtn>htm|html|class|js)$))?[^.]*$"
Also put as regex101
When you refer to a file header, are you referring to the first few lines of the file that are being parsed by Splunk? Or are you referring to something like a java header?