In this recipe, you wrote a search to detect spoofed sessions. Essentially, the search looks for where a single session identifier (JSESSIONID) is associated with multiple client IP addresses over the given time range of 24 hours. Understandably, in almost all cases, a session identifier will only come from a single client IP address. So, if there are sessions that have multiple IPs, then this can very well detect spoofing of a session. Results will only be displayed where there is more than one client IP associated with a specific session.
Let's break down the search piece by piece:
Search fragment |
Description |
index=main sourcetype=access_combined |
You should now be familiar with this search from the earlier recipes. ... |