Skip to main content


Splunk Lantern

IP address attempting a brute force password attack

The origin of a brute force password attack can be important to know when working on the following use cases:


In order to execute this procedure in your environment, the following data, services, or apps are required:


A device on your network was hacked into with a brute force password attempt. You want to find out what IP address the attack originated from.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Stream. You can replace this source with any other web server data used in your organization.

  1. Run the following search:
sourcetype=stream:http dest="<IP address receiving the request>" http_method=POST
|stats count BY src 
  1. Expand any event to see all fields.
  2. In the form_data field, look at the format the username and password are provided in. Use that format to write a wildcard search for this field and add it to the search.
    Example: If the log shows form_data username=admin&passwd=123abc Then a good search term is: form_data=*username*passwd* 

Stream requires special configuration. If you do not see the fields referenced in this procedure, see the Splunk Stream Installation and Configuration Manual on the Splunk documentation site.

  1. Add the following to the search and rerun it:
|stats count BY src

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only Stream http data.

dest=<IP address receiving the request> 

Search data going to this IP address.


Search for a request pushed to the server. In this case, the request is a password that was pushed from the source.

form_data=<wildcard search>

Return results that match your wildcard search.

|stats count BY src 

Count the number of times each source IP address appears.


The IP address with the most hits is most likely the one the brute force password attack originated from. You can use open source intelligence (OSINT) to find a domain name and other IP addresses associated with the one you found in the investigation.


  • Was this article helpful?