Techniques
Sample rules
Path traversal SPL injection
- source: splunk
- technicques:
- T1083
Description
On May 3rd, 2022, Splunk published a security advisory for a Path traversal in search parameter that can potentiall allow SPL injection. An attacker can cause the application to load data from incorrect endpoints, urls leading to outcomes such as running arbitrary SPL queries.
Detection logic
`path_traversal_spl_injection`
| search "\/..\/..\/..\/..\/..\/..\/..\/..\/..\/"
| stats count by host status clientip method uri_path uri_query
| `path_traversal_spl_injection_filter`