Check if substring exist in array of strings

mattia_conversano · August 22, 2019, 10:27am

Hi Team,

I have a problem with an array of strings, my goal is to detect if this string:

attack-sqli

exist in array like this:

"audit_data":{
      "messages":[
         "Warning. detected XSS using libinjection. [file \"/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"58\"] [id \"941100\"] [msg \"XSS Attack Detected via libinjection\"] [data \"Matched Data: XSS data found within ARGS:s: <script>alert(1)</script>\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-xss\"] [tag \"OWASP_CRS/WEB_ATTACK/XSS\"] [tag \"WASCTC/WASC-8\"] [tag \"WASCTC/WASC-22\"] [tag \"OWASP_TOP_10/A3\"] [tag \"OWASP_AppSensor/IE1\"] [tag \"CAPEC-242\"]",
         "Warning. Pattern match \"(?i)<script[^>]*>[\\\\s\\\\S]*?\" at REQUEST_HEADERS:Referer. [file \"/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"88\"] [id \"941110\"] [msg \"XSS Filter - Category 1: Script Tag Vector\"] [data \"Matched Data: <script> found within REQUEST_HEADERS:Referer: http://localhost/tecnologie-web/Progetto/php/user/login.php?q=pass' OR 1 = 1 --&query=pass2' AND 1=1 --&s=<script>alert(1)</script>\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-xss\"] [tag \"OWASP_CRS/WEB_ATTACK/XSS\"] [tag \"WASCTC/WASC-8\"] [tag \"WASCTC/WASC-22\"] [tag \"OWASP_TOP_10/A3\"] [tag \"OWASP_AppSensor/IE1\"] [tag \"CAPEC-242\"]",
         "Warning. Pattern match \"(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ...\" at ARGS:s. [file \"/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf\"] [line \"212\"] [id \"941160\"] [msg \"NoScript XSS InjectionChecker: HTML Injection\"] [data \"Matched Data: <script found within ARGS:s: <script>alert(1)</script>\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-xss\"] [tag \"OWASP_CRS/WEB_ATTACK/XSS\"] [tag \"WASCTC/WASC-8\"] [tag \"WASCTC/WASC-22\"] [tag \"OWASP_TOP_10/A3\"] [tag \"OWASP_AppSensor/IE1\"] [tag \"CAPEC-242\"]",
         "Warning. detected SQLi using libinjection with fingerprint 's&1c' [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"66\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&1c found within ARGS:q: pass' OR 1 = 1 --\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"]",
         "Warning. detected SQLi using libinjection with fingerprint 's&(Ef' [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"66\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&(Ef found within ARGS:username: test@test.it' AND (SELECT LENGTH(database()))=9 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"**attack-sqli**\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"]",
         "Warning. detected SQLi using libinjection with fingerprint 's&1c' [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"66\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&1c found within ARGS:password: test@test.it' AND 1=1 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"]",
         "Warning. Pattern match \"(?i:\\\\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\\\\b|s(?:(?:ys(?:\\\\.database_name|aux)|qlite(?:_tem ...\" at ARGS:username. [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"101\"] [id \"942140\"] [msg \"SQL Injection Attack: Common DB Names Detected\"] [data \"Matched Data: database( found within ARGS:username: test@test.it' AND (SELECT LENGTH(database()))=9 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"]",
         "Warning. Pattern match \"(?i:(?:[\\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\\"'`\\\\w])|(?:c(?:onnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ...\" at ARGS:username. [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"185\"] [id \"942190\"] [msg \"Detects MSSQL code execution and information gathering attempts\"] [data \"Matched Data: database( found within ARGS:username: test@test.it' AND (SELECT LENGTH(database()))=9 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK    /SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"]" 
          ...
      ]

i tried these codes in filter:

if "attack-sqli" in [audit_data][messages]{
   mutate {
      add_field => { "SQLi" => "true" }
   }
}

after this

if [audit_data][messages] =~ "/attack-sqli/"{
      mutate {
         add_field => { "SQLi_detcted" => "true" }
      }
   }

and also this

ruby {
         code => "
            event.get('[audit_data][messages]').each do |item|
               if item =~ '/attack-sqli/'
                  event.set('SQLi', 'true')
               end
            end
         "
      }

but none of these work.
What am I doing wrong?

Thanks in advance,
Mattia

Badger · August 22, 2019, 11:59am

When using =~ in logstash, it will not iterate over the members of an array, and the regexp should not be quoted. So this would work

if [audit_data][messages][5] =~ /attack-sqli/ {

Your ruby version is almost right, except again, the regexp must not be quoted

if item =~ /attack-sqli/

mattia_conversano · August 22, 2019, 12:42pm

Thank you so much for your answer.
I will use the solution with Ruby because the array changes, but now Ruby throws this exception:

[2019-08-22T14:15:42,815][ERROR][logstash.filters.ruby    ] Ruby exception occurred: undefined method `each' for nil:NilClass

How can i solve it?

Thanks again,
Mattia

Badger · August 22, 2019, 12:47pm

That is telling you that there are events that do not contain [audit_data][messages]. Add a test to the ruby filter

msgs = event.get('[audit_data][messages]')
if msgs
    msgs.each do |item|
...
    end
end

mattia_conversano · August 22, 2019, 12:54pm

Thanks you so much again
Have a good day!

Mattia

system · September 19, 2019, 12:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.