Splunk Search

Show events with certain frequency

ernestpoon
New Member

Hi guys, I have an Apache log (with only few information) and I would like to find out the possible events related to brute force password attack.

I am considering to find the login page access records which happened rapidly within three seconds. For example (just an example), if there are the following events:

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:20:36 -0700] "GET /config.php HTTP/1.0" 200 2326 "http://www.example.com/dashboard.php"
127.0.0.1 - frank [10/Oct/2000:13:10:00 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"

The result will be:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"

What should the code be?
I will be able to count the number of password attack occur and plot a time chart showing the attack pattern, after solving this problem.
Thanks.

0 Karma

dkeck
Influencer

HI,

did you try to use | timechart count span=3s ? This will give you a lot of spikes in timechart graph but it will group your events in a 3 s intervall. You should only use this with a short time periode

0 Karma

mayurr98
Super Champion

Hi can you try this :

Number of Password Attacks:

index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | stats count as "Password Attacks"

Plotting it in Timechart:

index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"

change span according to your need.
let me know if this helps!

0 Karma

ernestpoon
New Member

Hi, thank you for your advice. timechart span=3s count as "Password Attacks" is useful! However, it seems that the rex part has some mistakes so there's an error telling me "Search Factory: Unknown search command 'post'."

0 Karma

mayurr98
Super Champion

Try this :

index=<your_index> | rex field=_raw "\s\"GET\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"
0 Karma

ernestpoon
New Member

The error disappeared. But no result is shown.
I am now trying specify the url_path instead of using regular expression. However, I cannot save the timechart to a dashboard. Do you know why?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...