Hi guys,
I have a problem with grok, let me explain better;
Initially I have an array of strings like this:
..,"Warning. detected XSS using libinjection. [file \"/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"58\"] [id \"941100\"] [msg \"XSS Attack Detected via libinjection\"] [data \"Matched Data: XSS data found within ARGS:q: <script>alert(1)</script>\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-xss\"] [tag \"OWASP_CRS/WEB_ATTACK/XSS\"] [tag \"WASCTC/WASC-8\"] [tag \"WASCTC/WASC-22\"] [tag \"OWASP_TOP_10/A3\"] [tag \"OWASP_AppSensor/IE1\"] [tag \"CAPEC-242\"]",..
and this is my Logstash filter:
kv {
source => "[audit_data][messages]"
allow_duplicate_values => false
value_split => " "
#field_split_pattern => ". \["
field_split_pattern => ". \["
target => "kv"
}
grok {
match => { "[kv][data]" => 'within %{DATA}:%{DATA}: %{DATA:m_data}'}
tag_on_failure => ["Detect_SQLi_grok_fail"]
}
The result of kv is:
"kv" => {
"data" => [
[0] "application/x-www-form-urlencoded%27%20or%201%20%3d%203%20--%20",
[1] "Matched Data: XSS data found within ARGS:q: <script>alert(1)</script>",
[2] "Matched Data: <script> found within ARGS:q: <script>alert(1)</script>",
[3] "Matched Data: <script found within ARGS:q: <script>alert(1)</script>",
[4] "Matched Data: s&1c found within REQUEST_COOKIES:PHPSESSID: 1m4qqvkeklb20fa8d0b11rbb8g' OR 1 = 4 --",
[5] "Matched Data: s&1c found within REQUEST_HEADERS:User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' OR 1=6 --",
[6] "Matched Data: s&1c found within ARGS:username: test@test.it' and 1=1 -- ",
[7] "Matched Data: s&1c found within ARGS:password: pass' OR 1=2 -- "
],
"tag" => [
[ 0] "application-multi",
[ 1] "language-multi",
[ 2] "platform-multi",
[ 3] "attack-protocol",
[ 4] "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE",
[ 5] "WASCTC/WASC-20",
[ 6] "OWASP_TOP_10/A1",
[ 7] "OWASP_AppSensor/EE2",
[ 8] "\"PCI/12.1\"]",
[ 9] "attack-xss",
[10] "OWASP_CRS/WEB_ATTACK/XSS",
[11] "WASCTC/WASC-8",
[12] "WASCTC/WASC-22",
[13] "OWASP_TOP_10/A3",
[14] "OWASP_AppSensor/IE1",
[15] "\"CAPEC-242\"]",
[16] "attack-sqli",
[17] "OWASP_CRS/WEB_ATTACK/SQL_INJECTION",
[18] "WASCTC/WASC-19",
[19] "OWASP_AppSensor/CIE1",
[20] "\"PCI/6.5.2\"]",
[21] "\"attack-generic\"]",
[22] "\"event-correlation\"]"
],..
I would like this result:
"m_data" => [
[ 0] "<script>alert(1)</script>",
[ 1] "1m4qqvkeklb20fa8d0b11rbb8g' OR 1 = 4 --",
[ 2] "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' OR 1=6 --",
[ 3] "test@test.it' and 1=1 -- ",
[ 4] "pass' OR 1=2 -- "
]
but my grok fails..
please can you tell me why?
Thanks in advance,
Mattia