Struggling with getting filenames/extensions using...

MMargolis87 · ‎11-06-2017

I'm an analyst and have the following question:

Does anyone know how you would make a query which will provide filenames and extensions to look for potentially malicious extension headers which aren't what they say they are. I am developing use case content within Splunk and have access to bro, wineventlog and cisco related sourcetypes. I am by no means a splunk ninja but would like help figuring out how to show file headers within Splunk so I can do security analysis.

Thanks,
Max

koshyk · ‎11-07-2017

Not sure about the data you have. But if you know the list of malicious extensions you can do something like..

An example search if you are going to base on extension. Add your own extension list for risky files

|makeresults | eval string="hello hello. hello.csv hello.htm hello.html hello.shtml hello.csv /var/log/hello.htm.jpg hello.jpg.csv.htm hello.htm.js"| makemv string| rex field=string "(?<fullstring>.*\.(?:(?<problematicExtn>htm|html|class|js)$))?[^.]*$"

Also put as regex101

DalJeanis · ‎11-06-2017

When you refer to a file header, are you referring to the first few lines of the file that are being parsed by Splunk? Or are you referring to something like a java header?

Struggling with getting filenames/extensions using Splunk?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!