Re: Show events with certain frequency

ernestpoon · ‎01-23-2019

Hi guys, I have an Apache log (with only few information) and I would like to find out the possible events related to brute force password attack.

I am considering to find the login page access records which happened rapidly within three seconds. For example (just an example), if there are the following events:

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:20:36 -0700] "GET /config.php HTTP/1.0" 200 2326 "http://www.example.com/dashboard.php"
127.0.0.1 - frank [10/Oct/2000:13:10:00 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"

The result will be:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"

What should the code be?
I will be able to count the number of password attack occur and plot a time chart showing the attack pattern, after solving this problem.
Thanks.

dkeck · ‎01-24-2019

HI,

did you try to use | timechart count span=3s ? This will give you a lot of spikes in timechart graph but it will group your events in a 3 s intervall. You should only use this with a short time periode

mayurr98 · ‎01-24-2019

Hi can you try this :

Number of Password Attacks:

index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | stats count as "Password Attacks"

Plotting it in Timechart:

index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"

change span according to your need.
let me know if this helps!

ernestpoon · ‎01-24-2019

Hi, thank you for your advice. timechart span=3s count as "Password Attacks" is useful! However, it seems that the rex part has some mistakes so there's an error telling me "Search Factory: Unknown search command 'post'."

mayurr98 · ‎01-24-2019

Try this :

index=<your_index> | rex field=_raw "\s\"GET\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"

ernestpoon · ‎01-25-2019

The error disappeared. But no result is shown.
I am now trying specify the url_path instead of using regular expression. However, I cannot save the timechart to a dashboard. Do you know why?

Show events with certain frequency

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk