I want to test a field name to see if it contains a "%" character and drop it if it does. I do a KV on web logs, and we regularly see threat actors trying to escape application logic with long strings in the URI, e.g.
burpcollaborator.net%2f%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%.
I see lots of ruby options for string manipulation on the contents of fields, but not on names of fields.
You can do this in ruby...
ruby {
code => '
event.to_hash.each { |k, v|
# Write some code here to modify k to newk. e.g newk = k.gsub(/%/, "")
event.remove(k)
event.set(newk, v)
}
'
}
Did you want to drop the %, or drop the entire field whose name contains %?
If the field name has a % in it, drop the field.
OK, change the body of the .each to
if k.include? "%"
event.remove(k)
endI am trying that out now.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.