Need help in Splunk Lab!
I am attempting the Splunk collection under Upskill. In the final lab i.e. Demonstrate your skill lab, I am getting stuck at a particular task. This is the prompt that I need to solve. The problem is there is no field for Destination IP in the log. Whenever I search according to the prompt, no results are returned and the question won't take 0 as an answer. Please help me move forward.
AI: Plugin Injection - Demonstrate Your Skills
I cannot get the token.txt contents. I have tried 1. The following command in many forms (head, less, cat): 2. Attempted the command many times in the same session. Get a response that is about the same as above. 3. Restarted the systems many times. Tried it many different days. 4. Listed out plugins thought chat and do not see DirectoryListingPluginOld Really would like to complete this lab. Thanks!
AI: Plugin Injection – Demonstrate Your Skills
Hi I have a issue/problem here. I found the flaw in DirectoryListingPluginOld that you can craft a argument that executes a 2nd command. But everything I try, is rejected. With "&&" or ";" and then "less", "cat", "head". I even try to escape with "\\000" or "\\x00" the whole argument. I saw working solutions on reddit, but they don't work for me. Even after multiple tries. Is it possible, that the LLM is more secure regarding malicious prompts now? Thanks for a hint. BRIncident Response Introduction to Detection Engineering: Ep.5 – Custom Alerting
Task 3 - Note: It may take a couple of minutes for the token to appear in the index. I'm struggling with the python that it's been taking too long to create a custom_alert_index to autimatically complete it. it's in Task 3 and I need the good code for the task to be completed and the token as well.
Snort Rules Ep.10 Q7
Stuck in Q7: Identify the suspicious domain that appears in both PCAP files. Create a Snort Rule to detect packets using this domain from the IP address in question 2. I've identified the domain used by the IP address in Q2. I've tried different ways but can't seem to narrow it down. Already spent so much time with this one question. I've answered 12 of 13. This is the only one left and I don't know what I'm missing. Am I misunderstanding the question? Here's my rule: alert tcp any any -> any 80 (msg: "Testing Alert" ; sid:1000001; content:"7b2cdd48.ngrok.io";) I've tried modifiers, I tried narrowing filter to just GET methods, actually specifying the destination or source IP and ports, adding "http://" to content. Sometimes I would narrow it down to matching 4 packets which is still "too many", or down to two packets, which is "not enough"... which tells me I need to match three packets. Any hints would be much appreciated at this point. Thanks!
