Analyze string arrays created by kv with grok

mattia_conversano · August 27, 2019, 1:27pm

Hi guys,

I have a problem with grok, let me explain better;
Initially I have an array of strings like this:

..,"Warning. detected XSS using libinjection. [file \"/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"58\"] [id \"941100\"] [msg \"XSS Attack Detected via libinjection\"] [data \"Matched Data: XSS data found within ARGS:q: <script>alert(1)</script>\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-xss\"] [tag \"OWASP_CRS/WEB_ATTACK/XSS\"] [tag \"WASCTC/WASC-8\"] [tag \"WASCTC/WASC-22\"] [tag \"OWASP_TOP_10/A3\"] [tag \"OWASP_AppSensor/IE1\"] [tag \"CAPEC-242\"]",..

and this is my Logstash filter:

kv {
         source => "[audit_data][messages]"
         allow_duplicate_values => false 
         value_split => " "
         #field_split_pattern => ". \["
         field_split_pattern => ". \["
         target => "kv"
      }
      grok {
    	   match => { "[kv][data]" => 'within %{DATA}:%{DATA}: %{DATA:m_data}'}
    	   tag_on_failure => ["Detect_SQLi_grok_fail"]
      }

The result of kv is:

 "kv" => {
            "data" => [
            [0] "application/x-www-form-urlencoded%27%20or%201%20%3d%203%20--%20",
            [1] "Matched Data: XSS data found within ARGS:q: <script>alert(1)</script>",
            [2] "Matched Data: <script> found within ARGS:q: <script>alert(1)</script>",
            [3] "Matched Data: <script found within ARGS:q: <script>alert(1)</script>",
            [4] "Matched Data: s&1c found within REQUEST_COOKIES:PHPSESSID: 1m4qqvkeklb20fa8d0b11rbb8g' OR 1 = 4 --",
            [5] "Matched Data: s&1c found within REQUEST_HEADERS:User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' OR 1=6 --",
            [6] "Matched Data: s&1c found within ARGS:username: test@test.it' and 1=1 -- ",
            [7] "Matched Data: s&1c found within ARGS:password: pass' OR 1=2 -- "
        ],
           "tag" => [
            [ 0] "application-multi",
            [ 1] "language-multi",
            [ 2] "platform-multi",
            [ 3] "attack-protocol",
            [ 4] "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE",
            [ 5] "WASCTC/WASC-20",
            [ 6] "OWASP_TOP_10/A1",
            [ 7] "OWASP_AppSensor/EE2",
            [ 8] "\"PCI/12.1\"]",
            [ 9] "attack-xss",
            [10] "OWASP_CRS/WEB_ATTACK/XSS",
            [11] "WASCTC/WASC-8",
            [12] "WASCTC/WASC-22",
            [13] "OWASP_TOP_10/A3",
            [14] "OWASP_AppSensor/IE1",
            [15] "\"CAPEC-242\"]",
            [16] "attack-sqli",
            [17] "OWASP_CRS/WEB_ATTACK/SQL_INJECTION",
            [18] "WASCTC/WASC-19",
            [19] "OWASP_AppSensor/CIE1",
            [20] "\"PCI/6.5.2\"]",
            [21] "\"attack-generic\"]",
            [22] "\"event-correlation\"]"
        ],..

I would like this result:

"m_data" => [
                [ 0] "<script>alert(1)</script>",
                [ 1] "1m4qqvkeklb20fa8d0b11rbb8g' OR 1 = 4 --",
                [ 2] "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' OR 1=6 --",
                [ 3] "test@test.it' and 1=1 -- ",
                [ 4] "pass' OR 1=2 -- "   
]

but my grok fails..

please can you tell me why?

Thanks in advance,
Mattia

mattia_conversano · August 27, 2019, 1:52pm

i've changed

match => { "[kv][data]" => 'within %{DATA}:%{DATA}: %{DATA:m_data}'}

in

match => { "[kv][data]" => 'within %{DATA}:%{DATA}: %{GREEDYDATA:m_data}'}

and it works!

Thanks

system · September 24, 2019, 1:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.