Splunk Enterprise Security

SQL Injection Rule - Multivalue count with multiple statistical conditions

swright_rl
Explorer

Hi,

I'm trying to add an additional condition to this rule.

Currently it splits up the raw value from our web logs trying to find SQL injection, although I want to lower the number of commands it needs to alert, but add a count to where the src ip is greater than 5. And I can't seem to make it work.

The command below is what I currently have already:

index=foo  NOT src="10.0.0.0/8" NOT src="172.16.0.0/12" NOT src="192.168.0.0/16" | eval num_sql_cmds=mvcount(split(_raw, "alter%20table")) + mvcount(split(_raw, "between")) + mvcount(split(_raw, "create%20table")) + mvcount(split(_raw, "create%20database")) + mvcount(split(_raw, "create%20index")) + mvcount(split(_raw, "create%20view")) + mvcount(split(_raw, "delete")) + mvcount(split(_raw, "drop%20database")) + mvcount(split(_raw, "drop%20index")) + mvcount(split(_raw, "drop%20table")) + mvcount(split(_raw, "exists")) + mvcount(split(_raw, "exec")) + mvcount(split(_raw, "group%20by")) + mvcount(split(_raw, "having")) + mvcount(split(_raw, "insert%20into")) + mvcount(split(_raw, "inner%20join")) + mvcount(split(_raw, "left%20join")) + mvcount(split(_raw, "right%20join")) + mvcount(split(_raw, "full%20join")) + mvcount(split(_raw, "select")) + mvcount(split(_raw, "distinct")) + mvcount(split(_raw, "select%20top")) + mvcount(split(_raw, "union")) + mvcount(split(_raw, "xp_cmdshell")) + mvcount(split(_raw, "1=1")) -25 
| where num_sql_cmds >= 2

This is to eliminate if we see a single IP which hits on legitimate traffic. For example, the following uri will match the conditions but only had event in the logs, where an actual SQL injection would likely hit a number of times from the same IP.

 /Secure/Int/OnlineService/ReviewService/scripts/core/components/select-option/select-option.htm

Any help would be appreciated.

Thanks

0 Karma
1 Solution

to4kawa
Ultra Champion
index=foo   src!="10.0.0.0/8" src!="172.16.0.0/12" src!="192.168.0.0/16" 
| stats count(eval(searchmatch("alter%20table") OR searchmatch("between") OR ....))) as num_sql_cmds by src
| where num_sql_cmds >= 2

Hi, how about it?

View solution in original post

0 Karma

to4kawa
Ultra Champion
index=foo   src!="10.0.0.0/8" src!="172.16.0.0/12" src!="192.168.0.0/16" 
| stats count(eval(searchmatch("alter%20table") OR searchmatch("between") OR ....))) as num_sql_cmds by src
| where num_sql_cmds >= 2

Hi, how about it?

0 Karma

swright_rl
Explorer

That works great thank you! 🙂

0 Karma

to4kawa
Ultra Champion

your welcome, Happy Splunking.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...