Test for field name containing special characters

I want to test a field name to see if it contains a "%" character and drop it if it does. I do a KV on web logs, and we regularly see threat actors trying to escape application logic with long strings in the URI, e.g.
burpcollaborator.net%2f%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%.

I see lots of ruby options for string manipulation on the contents of fields, but not on names of fields.

You can do this in ruby...

ruby {
    code => '
         event.to_hash.each { |k, v|
               # Write some code here to modify k to newk. e.g newk = k.gsub(/%/, "")
               event.remove(k)
               event.set(newk, v)
         }
     '
}

Did you want to drop the %, or drop the entire field whose name contains %?

If the field name has a % in it, drop the field.

OK, change the body of the .each to

        if k.include? "%"
            event.remove(k)
        end

I am trying that out now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.