Wildcard in URL finding base64

zokratez · March 20, 2017, 4:11pm

I need to filter double equal in URL *== to detect base64 attacks.

I tried with the fields request_page, request_page.keyword and request_page.raw and nothing hapens...

{
  "wildcard": {
    "request_page": "*==*"
  }
}

{
  "wildcard": {
    "request_page": "*=="
  }
}

or in kibana search.

request_page: *==
request_page: *"=="
request_page: *==

request_page:.raw *==
request_page.raw: *"=="
request_page.raw: *==

request_page.keyword: *==
request_page.keyword: *"=="
request_page.keyword: *==

All of these with raw and keyword too. Analyzed and not analized.

What's the correct way to apply wildcard?

Here is an example of the string:

index.php/en/component/user/admin/Cms_Wysiwyg/directive/?forwarded=true&isIframe=true&___directive=e3tibG9jayB0eXBlPSJhZG1pbmh0bWwvcmVwb3J0X3NlYXJjaF9ncmlkIn19&filter=bnVtX3Jlc3VsdHNbZnJvbV09MCZudW1fcmVzdWx0c1tmaWVsZF9leHByXT0xPTIpO0RFTEVURSBGUk9NIGBhZG1pbl91c2VyYCBXSEVSRSB1c2VyX2lkID0gMzM7ICBERUxFVEUgRlJPTSBgYWRtaW5fcm9sZWAgV0hFUkUgdXNlcl9pZCA9IDMzOyAgSU5TRVJUIElOVE8gYGFkbWluX3VzZXJgIChgdXNlcl9pZGAsIGBmaXJzdG5hbWVgLCBgbGFzdG5hbWVgLCBgZW1haWxgLCBgdXNlcm5hbWVgLCBgcGFzc3dvcmRgLCBgY3JlYXRlZGAsIGBtb2RpZmllZGAsIGBsb2dkYXRlYCwgYGxvZ251bWAsIGByZWxvYWRfYWNsX2ZsYWdgLCBgaXNfYWN0aXZlYCwgYGV4dHJhYCkgVkFMVUVTICAoMzMsJ21hZ2VudG8nLCAnZGVzaWduJywgJ2Rlc2lnbkBtYWdlbnRvY29tbWVyY2UuY29tJywgJ2Rlc2lnbicsICdkODkyYTkyNWExZjdkYTdlMGJhMWE5ODU5OTA1ODczYjpycCcsICdudWxsJywgJ251bGwnLCAnbnVsbCcsIDEsIDAsIDEsICdOOycpOyAgSU5TRVJUIElOVE8gYGFkbWluX3JvbGVgIChgcGFyZW50X2lkYCwgYHRyZWVfbGV2ZWxgLCBgc29ydF9vcmRlcmAsIGByb2xlX3R5cGVgLCBgdXNlcl9pZGAsIGByb2xlX25hbWVgKSBWQUxVRVMgKDEsIDIsIDAsICdVJywgMzMsICdkZXNpZ24nKTs7IC0tIA==

dadoonet · March 20, 2017, 5:28pm

What is your mapping like?

dadoonet · March 20, 2017, 5:30pm

BTW I'd probably use a edge n gram analyzer which starts from the end with a size of 2.

Then I'd just use a match query with ==

zokratez · March 20, 2017, 5:45pm

So you suggest tokenize the field in mapping and use N Gram? There is no way making wildcard querys?

dadoonet · March 20, 2017, 6:09pm

May be (probably) there is a way to do it but I can't test ATM. That said a wildcard *xx is really insane to run in elasticsearch. Just read what the wildcard query doc is saying...

system · April 17, 2017, 6:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.