Re: How do you list source IPs that hit only two U...

aamer86 · ‎02-05-2019

We have WEB logs, and we need to isolate the source IPs that only (only) hit two URLs.

The fields are:

src for source IP
uri_path for hit URL

woodcock · ‎02-05-2019

Try this:

| tstats count FROM datamodel=Web WHERE index=* AND (Web.url="first/url" OR Web.url="second/url") BY Web.src

ccl0utier · ‎02-05-2019

Then this should do it:

<base search>
| stats values(uri_path) as uri_path by src
| where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard"))
| stats count by src

You can substitute stats with tstats if uri_path is an indexed field. YMMV.

aamer86 · ‎02-05-2019

Thanks but this is really slow search using transaction

can we have something to be used with tstats and Data Model

ccl0utier · ‎02-05-2019

I've updated my answer to reflect that. Should be faster/more flexible.

ccl0utier · ‎02-05-2019

So, something like:

<base search here>
| stats distinct_count(uri_path) as distinct_uri_count by src
| where distinct_uri_count = 2

?

aamer86 · ‎02-05-2019

Thanks but I need to get the list of IPs that hit two URLs
account/XYz and account/ABC

ccl0utier · ‎02-05-2019

You can add values(src) to the stats command then?

Or am I misunderstanding completely? Do you mean these URIs only? Specific ones?

aamer86 · ‎02-05-2019

sorry I think I should have explained it better

so we need to get all the IPs that ONLY hit two urls

account/logon
member/savedcard

As this has been detected as an attack pattern

So i need the IPs that hit only these two URLs

How do you list source IPs that hit only two URLs in WEB source types?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team