Decoding json fields properly with filebeat

Blason · June 20, 2022, 2:51am

Hi Team,

I am trying to parse modsec_audit logs with filebeat in json format. However those are not being parsed correctly. Here is the original log.

{"transaction":{"client_ip":"66.249.66.154","time_stamp":"Mon Jun 20 07:09:01 2022","server_id":"0e733d4796f338eb99386e5c5f6fa28091c4a6f4","client_port":62353,"host_ip":"xx.xx.xx.xx","host_port":443,"unique_id":"1655689141","request":{"method":"GET","http_version":1.1,"uri":"/test.html","body":"","headers":{"Host":"xxxxxxxx.xx","AMP-Cache-Transform":"google;v=\"1..8\"","Connection":"keep-alive","Accept":"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8","From":"googlebot(at)googlebot.com","User-Agent":"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)","Accept-Encoding":"gzip, deflate, br"}},"response":{"body":"▒▒\u0007","http_code":403,"headers":{"Vary":"Accept-Encoding","ETag":"\"8dcf654e414d71:0\"","Last-Modified":"Mon, 08 Mar 2021 10:17:55 GMT","Last-Modified":"Mon, 08 Mar 2021 10:17:55 GMT","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Accept-Ranges":"bytes","Referrer-Policy":"no-referrer-when-downgrade","Connection":"keep-alive","Content-Encoding":"br","X-Powered-By":"ASP.NET","Content-Type":"text/html","/etc/nginx/mime.types":"","Content-Length":"3865","Date":"Mon, 20 Jun 2022 01:39:01 GMT","Server":"applox-waf","Server":"applox-waf","X-Powered-By-Plesk":"PleskWin","include":"","X-Content-Type-Options":"nosniff","X-XSS-Protection":"1; mode=block","Set-Cookie":"Path=/; HttpOnly; Secure","X-Frame-Options":"SAMEORIGIN"}},"producer":{"modsecurity":"ModSecurity v3.0.4 (Linux)","connector":"ModSecurity-nginx v1.0.1","secrules_engine":"Enabled","components":["OWASP_CRS/3.3.0\""]},"messages":[{"message":"PHP source code leakage","details":{"match":"Matched \"Operator `Rx' with parameter `(?:\\x1f\\x8b\\x08|\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b|^wOF[F2])' against variable `RESPONSE_BODY' (Value: `\\x8b\\xff\\x07\\x00\\x80\\xaa\\xaa\\xaa\\xea\\xff,\\x06`\\x87\\xbb\\xa6\\x06@\\\\xca\\xcd\\xcd=3+\\xab2]U\\xab==,\\xa2\\x1 (11124 characters omitted)' )","reference":"o3037,2v507,3865v507,3865","ruleId":"953120","file":"/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf","lineNumber":"83","data":"Matched Data: <? found within RESPONSE_BODY: ▒▒\u0007","severity":"3","ver":"OWASP_CRS/3.3.0","rev":"","tags":["application-multi","language-php","platform-multi","attack-disclosure","paranoia-level/1","OWASP_CRS","capec/1000/118/116","PCI/6.5.6"],"maturity":"0","accuracy":"0"}},{"message":"Outbound Anomaly Score Exceeded (Total Score: 4)","details":{"match":"Matched \"Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' )","reference":"","ruleId":"959100","file":"/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-959-BLOCKING-EVALUATION.conf","lineNumber":"68","data":"","severity":"0","ver":"OWASP_CRS/3.3.0","rev":"","tags":["anomaly-evaluation"],"maturity":"0","accuracy":"0"}}]}}

I even tried using decode_json_fields at transaction.response however those all logs are not being parsed correctly.

Tetiana_Kravchenko · June 20, 2022, 8:24am

Hi @Blason
are you getting any error when parsing json? what do you mean by "parsed not correctly"?

Blason · June 21, 2022, 10:04am

What I mean here is not all fields given in the path are getting properly mapped and added in fields

{
  "@timestamp": "2022-06-21T09:59:35.096Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.17.1"
  },
  "log": {
    "offset": 0,
    "file": {
      "path": "/var/log/mosec.log"
    }
  },
  "transaction": {
    "producer": {
      "connector": "ModSecurity-nginx v1.0.1",
      "secrules_engine": "Enabled",
      "components": [
        "OWASP_CRS/3.3.0\""
      ],
      "modsecurity": "ModSecurity v3.0.4 (Linux)"
    },
    "host_ip": "xx.xx.xx.xx",
    "client_port": 59019,
    "request": {
      "uri": "/noc_and_soc_services.html",
      "body": "",
      "headers": {
        "From": "googlebot(at)googlebot.com",
        "User-Agent": "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
        "Accept-Encoding": "gzip, deflate, br",
        "Host": "xxxxx.in",
        "AMP-Cache-Transform": "google;v=\"1..8\"",
        "Connection": "keep-alive",
        "Accept": "text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8"
      },
      "method": "GET",
      "http_version": 1.1
    },
    "response": {
      "headers": {
        "Content-Encoding": "br",
        "X-Powered-By": "ASP.NET",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
        "include": "",
        "X-Content-Type-Options": "nosniff",
        "Content-Type": "text/html",
        "Last-Modified": "Mon, 08 Mar 2021 10:17:55 GMT",
        "Connection": "keep-alive",
        "/etc/nginx/mime.types": "",
        "ETag": "\"8dcf654e414d71:0\"",
        "Accept-Ranges": "bytes",
        "Content-Length": "3865",
        "Server": "applox-waf",
        "Vary": "Accept-Encoding",
        "Referrer-Policy": "no-referrer-when-downgrade",
        "X-XSS-Protection": "1; mode=block",
        "Date": "Tue, 21 Jun 2022 02:37:55 GMT",
        "X-Frame-Options": "SAMEORIGIN",
        "X-Powered-By-Plesk": "PleskWin",
        "Set-Cookie": "Path=/; HttpOnly; Secure"
      },
      "body": "▒▒\u0007",
      "http_code": 403
    },
    "messages": [
      {
        "message": "PHP source code leakage",
        "details": {
          "severity": "3",
          "tags": [
            "application-multi",
            "language-php",
            "platform-multi",
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "capec/1000/118/116",
            "PCI/6.5.6"
          ],
          "match": "Matched \"Operator `Rx' with parameter `(?:\\x1f\\x8b\\x08|\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b|^wOF[F2])' against variable `RESPONSE_BODY' (Value: `\\x8b\\xff\\x07\\x00\\x80\\xaa\\xaa\\xaa\\xea\\xff,\\x06`\\x87\\xbb\\xa6\\x06@\\\\xca\\xcd\\xcd=3+\\xab2]U\\xab==,\\xa2\\x1 (11124 characters omitted)' )",
          "file": "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf",
          "data": "Matched Data: <? found within RESPONSE_BODY: ▒▒\u0007",
          "maturity": "0",
          "accuracy": "0",
          "reference": "o3037,2v507,3865v507,3865",
          "lineNumber": "83",
          "rev": "",
          "ruleId": "953120",
          "ver": "OWASP_CRS/3.3.0"
        }
      },
      {
        "message": "Outbound Anomaly Score Exceeded (Total Score: 4)",
        "details": {
          "reference": "",
          "file": "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-959-BLOCKING-EVALUATION.conf",
          "severity": "0",
          "data": "",
          "rev": "",
          "tags": [
            "anomaly-evaluation"
          ],
          "match": "Matched \"Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' )",
          "ver": "OWASP_CRS/3.3.0",
          "maturity": "0",
          "ruleId": "959100",
          "lineNumber": "68",
          "accuracy": "0"
        }
      }
    ],
    "client_ip": "66.249.77.18",
    "time_stamp": "Tue Jun 21 08:07:53 2022",
    "host_port": 443,
    "server_id": "0e733d4796f338eb99386e5c5f6fa28091c4a6f4",
    "unique_id": "1655779073"
  },
  "input": {
    "type": "log"
  },
  "ecs": {
    "version": "1.12.0"
  },
  "host": {
    "os": {
      "version": "20.04.4 LTS (Focal Fossa)",
      "family": "debian",
      "name": "Ubuntu",
      "kernel": "5.4.0-107-generic",
      "codename": "focal",
      "type": "linux",
      "platform": "ubuntu"
    },
    "id": "2fdac3edf65747a88e2b493c35efcec4",
    "name": "siem",
    "containerized": false,
    "ip": [
      "192.168.1.89",
      "fe80::20c:29ff:fe3b:2f04"
    ],
    "mac": [
      "00:0c:29:3b:2f:04",
      "00:0c:29:3b:2f:0e"
    ],
    "hostname": "siem",
    "architecture": "x86_64"
  },
  "agent": {
    "name": "siem",
    "type": "filebeat",
    "version": "7.17.1",
    "hostname": "siem",
    "ephemeral_id": "38121713-4834-4799-af23-2e78a448c5f7",
    "id": "7bcf7ad5-6852-4907-a9ba-ecb52b7ec2d9"
  }
}

Blason · June 26, 2022, 3:57am

Here is the original message and I see not all fields are being ingested or indexed.

root@siem:/var/log/modsec# cat /var/log/modsec/modsec_audit.log  | jq '.'
{
  "transaction": {
    "client_ip": "1.38.140.197",
    "time_stamp": "Fri Jun 24 18:12:43 2022",
    "server_id": "0e733d4796f338eb99386e5c5f6fa28091c4a6f4",
    "client_port": 22530,
    "host_ip": "143.110.185.133",
    "host_port": 443,
    "unique_id": "1656074563",
    "request": {
      "method": "GET",
      "http_version": 2,
      "uri": "/services.html",
      "body": "",
      "headers": {
        "sec-fetch-user": "?1",
        "sec-ch-ua": "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"102\", \"Google Chrome\";v=\"102\"",
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36",
        "sec-fetch-site": "same-origin",
        "sec-ch-ua-platform": "\"Windows\"",
        "referer": "https://www.isecurenet.in/become_partner.html",
        "upgrade-insecure-requests": "1",
        "sec-ch-ua-mobile": "?0",
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "sec-fetch-dest": "document",
        "sec-fetch-mode": "navigate",
        "host": "www.isecurenet.in",
        "accept-encoding": "gzip, deflate, br",
        "cookie": "Path=/",
        "accept-language": "en-US,en;q=0.9,mr;q=0.8"
      }
    },
    "response": {
      "body": "▒▒\u0007",
      "http_code": 403,
      "headers": {
        "Vary": "Accept-Encoding",
        "ETag": "\"96818a5d414d71:0\"",
        "Last-Modified": "Mon, 08 Mar 2021 10:18:21 GMT",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
        "Accept-Ranges": "bytes",
        "Referrer-Policy": "no-referrer-when-downgrade",
        "Connection": "close",
        "Content-Encoding": "br",
        "X-Powered-By": "ASP.NET",
        "Content-Type": "text/html",
        "/etc/nginx/mime.types": "",
        "Content-Length": "7698",
        "Date": "Fri, 24 Jun 2022 12:42:43 GMT",
        "Server": "applox-waf",
        "X-Powered-By-Plesk": "PleskWin",
        "include": "",
        "X-Content-Type-Options": "nosniff",
        "X-XSS-Protection": "1; mode=block",
        "Set-Cookie": "Path=/; HttpOnly; Secure",
        "X-Frame-Options": "SAMEORIGIN"
      }
    },
    "producer": {
      "modsecurity": "ModSecurity v3.0.4 (Linux)",
      "connector": "ModSecurity-nginx v1.0.1",
      "secrules_engine": "Enabled",
      "components": [
        "OWASP_CRS/3.3.0\""
      ]
    },
    "messages": [
      {
        "message": "PHP source code leakage",
        "details": {
          "match": "Matched \"Operator `Rx' with parameter `(?:\\x1f\\x8b\\x08|\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b|^wOF[F2])' against variable `RESPONSE_BODY' (Value: `\\x8b\\xff\\x07\\x00\\x80\\xaa\\xaa\\xaa\\xea\\xff,\\x06`\\x87\\xbb\\xa6\\x06@\\\\xca\\xcd\\xcd=3+\\xab2]U\\xab==,\\xa2\\x1 (22094 characters omitted)' )",
          "reference": "o4829,2v722,7698v722,7698",
          "ruleId": "953120",
          "file": "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf",
          "lineNumber": "83",
          "data": "Matched Data: <? found within RESPONSE_BODY: ▒▒\u0007",
          "severity": "3",
          "ver": "OWASP_CRS/3.3.0",
          "rev": "",
          "tags": [
            "application-multi",
            "language-php",
            "platform-multi",
            "attack-disclosure",
            "paranoia-level/1",
            "OWASP_CRS",
            "capec/1000/118/116",
            "PCI/6.5.6"
          ],
          "maturity": "0",
          "accuracy": "0"
        }
      },
      {
        "message": "Outbound Anomaly Score Exceeded (Total Score: 4)",
        "details": {
          "match": "Matched \"Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' )",
          "reference": "",
          "ruleId": "959100",
          "file": "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-959-BLOCKING-EVALUATION.conf",
          "lineNumber": "68",
          "data": "",
          "severity": "0",
          "ver": "OWASP_CRS/3.3.0",
          "rev": "",
          "tags": [
            "anomaly-evaluation"
          ],
          "maturity": "0",
          "accuracy": "0"
        }
      }
    ]
  }
}

And here is the elastic ingested json data

{
  "_index": "filebeat-7.17.4-2022.06.12-000001",
  "_type": "_doc",
  "_id": "l-MenoEBTs91iFRd6kw9",
  "_version": 1,
  "_score": 1,
  "_source": {
    "@timestamp": "2022-06-26T03:47:14.122Z",
    "agent": {
      "ephemeral_id": "3d09e9b8-47c1-4eaa-9294-8a88bfd6c369",
      "id": "e4753373-f3ff-4fd4-9304-92f7c333f887",
      "name": "siem",
      "type": "filebeat",
      "version": "7.17.4",
      "hostname": "siem"
    },
    "ecs": {
      "version": "1.12.0"
    },
    "log": {
      "offset": 0,
      "file": {
        "path": "/var/log/modsec/modsec_audit.log"
      }
    },
    "transaction": {
      "producer": {
        "components": [
          "OWASP_CRS/3.3.0\""
        ],
        "modsecurity": "ModSecurity v3.0.4 (Linux)",
        "connector": "ModSecurity-nginx v1.0.1",
        "secrules_engine": "Enabled"
      },
      "unique_id": "1656074563",
      "request": {
        "uri": "/services.html",
        "body": "",
        "headers": {
          "sec-ch-ua-platform": "\"Windows\"",
          "sec-fetch-user": "?1",
          "cookie": "Path=/",
          "upgrade-insecure-requests": "1",
          "accept-encoding": "gzip, deflate, br",
          "referer": "https://www.xxxxx.in/become_partner.html",
          "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
          "host": "www.xxxxx.in",
          "sec-fetch-site": "same-origin",
          "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36",
          "sec-ch-ua-mobile": "?0",
          "sec-fetch-dest": "document",
          "sec-fetch-mode": "navigate",
          "accept-language": "en-US,en;q=0.9,mr;q=0.8",
          "sec-ch-ua": "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"102\", \"Google Chrome\";v=\"102\""
        },
        "method": "GET",
        "http_version": 2
      },
      "server_id": "0e733d4796f338eb99386e5c5f6fa28091c4a6f4",
      "client_port": 22530,
      "time_stamp": "Fri Jun 24 18:12:43 2022",
      "response": {
        "http_code": 403,
        "headers": {
          "include": "",
          "X-XSS-Protection": "1; mode=block",
          "Set-Cookie": "Path=/; HttpOnly; Secure",
          "Last-Modified": "Mon, 08 Mar 2021 10:18:21 GMT",
          "X-Frame-Options": "SAMEORIGIN",
          "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
          "/etc/nginx/mime.types": "",
          "Server": "applox-waf",
          "ETag": "\"96818a5d414d71:0\"",
          "Connection": "close",
          "Vary": "Accept-Encoding",
          "X-Powered-By": "ASP.NET",
          "X-Powered-By-Plesk": "PleskWin",
          "Referrer-Policy": "no-referrer-when-downgrade",
          "Content-Type": "text/html",
          "Accept-Ranges": "bytes",
          "Content-Length": "7698",
          "Content-Encoding": "br",
          "Date": "Fri, 24 Jun 2022 12:42:43 GMT",
          "X-Content-Type-Options": "nosniff"
        },
        "body": "▒▒\u0007"
      },
      "host_ip": "1.2.3.4",
      "host_port": 443,
      "client_ip": "1.38.140.197",
      "messages": [
        {
          "details": {
            "tags": [
              "application-multi",
              "language-php",
              "platform-multi",
              "attack-disclosure",
              "paranoia-level/1",
              "OWASP_CRS",
              "capec/1000/118/116",
              "PCI/6.5.6"
            ],
            "maturity": "0",
            "data": "Matched Data: <? found within RESPONSE_BODY: ▒▒\u0007",
            "match": "Matched \"Operator `Rx' with parameter `(?:\\x1f\\x8b\\x08|\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b|^wOF[F2])' against variable `RESPONSE_BODY' (Value: `\\x8b\\xff\\x07\\x00\\x80\\xaa\\xaa\\xaa\\xea\\xff,\\x06`\\x87\\xbb\\xa6\\x06@\\\\xca\\xcd\\xcd=3+\\xab2]U\\xab==,\\xa2\\x1 (22094 characters omitted)' )",
            "ruleId": "953120",
            "rev": "",
            "accuracy": "0",
            "lineNumber": "83",
            "reference": "o4829,2v722,7698v722,7698",
            "file": "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf",
            "severity": "3",
            "ver": "OWASP_CRS/3.3.0"
          },
          "message": "PHP source code leakage"
        },
        {
          "message": "Outbound Anomaly Score Exceeded (Total Score: 4)",
          "details": {
            "tags": [
              "anomaly-evaluation"
            ],
            "match": "Matched \"Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' )",
            "severity": "0",
            "ruleId": "959100",
            "file": "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-959-BLOCKING-EVALUATION.conf",
            "data": "",
            "ver": "OWASP_CRS/3.3.0",
            "maturity": "0",
            "accuracy": "0",
            "lineNumber": "68",
            "rev": "",
            "reference": ""
          }
        }
      ]
    },
    "fields": {
      "type": "waf"
    },
    "host": {
      "ip": [
        "192.168.5.110",
        "2405:201:28:4bb6:20c:29ff:fe04:a164",
        "fe80::20c:29ff:fe04:a164"
      ],
      "mac": [
        "00:0c:29:04:a1:64"
      ],
      "hostname": "siem",
      "architecture": "x86_64",
      "name": "siem",
      "os": {
        "family": "debian",
        "name": "Ubuntu",
        "kernel": "5.4.0-110-generic",
        "codename": "focal",
        "type": "linux",
        "platform": "ubuntu",
        "version": "20.04.4 LTS (Focal Fossa)"
      },
      "id": "5cf1cb0c8ad649e3b847c7f5324c28cb",
      "containerized": false
    }
  },
  "fields": {
    "transaction.request.uri": [
      "/services.html"
    ],
    "transaction.time_stamp": [
      "Fri Jun 24 18:12:43 2022"
    ],
    "transaction.server_id": [
      "0e733d4796f338eb99386e5c5f6fa28091c4a6f4"
    ],
    "transaction.messages.details.file": [
      "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf",
      "/etc/nginx/modsec/coreruleset-3.3.0/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"
    ],
    "host.os.name.text": [
      "Ubuntu"
    ],
    "transaction.unique_id": [
      "1656074563"
    ],
    "transaction.response.headers.X-XSS-Protection": [
      "1; mode=block"
    ],
    "host.hostname": [
      "siem"
    ],
    "transaction.request.headers.cookie": [
      "Path=/"
    ],
    "transaction.response.headers.Last-Modified": [
      "Mon, 08 Mar 2021 10:18:21 GMT"
    ],
    "host.mac": [
      "00:0c:29:04:a1:64"
    ],
    "transaction.request.headers.sec-ch-ua": [
      "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"102\", \"Google Chrome\";v=\"102\""
    ],
    "transaction.messages.message": [
      "PHP source code leakage",
      "Outbound Anomaly Score Exceeded (Total Score: 4)"
    ],
    "transaction.request.headers.sec-fetch-site": [
      "same-origin"
    ],
    "transaction.producer.secrules_engine": [
      "Enabled"
    ],
    "transaction.response.headers.include": [
      ""
    ],
    "transaction.messages.details.tags": [
      "application-multi",
      "language-php",
      "platform-multi",
      "attack-disclosure",
      "paranoia-level/1",
      "OWASP_CRS",
      "capec/1000/118/116",
      "PCI/6.5.6",
      "anomaly-evaluation"
    ],
    "transaction.request.headers.sec-fetch-dest": [
      "document"
    ],
    "transaction.request.headers.sec-fetch-user": [
      "?1"
    ],
    "transaction.response.headers.X-Powered-By-Plesk": [
      "PleskWin"
    ],
    "host.os.version": [
      "20.04.4 LTS (Focal Fossa)"
    ],
    "transaction.response.headers./etc/nginx/mime.types": [
      ""
    ],
    "transaction.messages.details.ruleId": [
      "953120",
      "959100"
    ],
    "host.os.name": [
      "Ubuntu"
    ],
    "agent.name": [
      "siem"
    ],
    "host.name": [
      "siem"
    ],
    "transaction.response.headers.Content-Type": [
      "text/html"
    ],
    "host.os.type": [
      "linux"
    ],
    "transaction.response.headers.ETag": [
      "\"96818a5d414d71:0\""
    ],
    "transaction.request.method": [
      "GET"
    ],
    "transaction.request.headers.upgrade-insecure-requests": [
      "1"
    ],
    "transaction.response.headers.Set-Cookie": [
      "Path=/; HttpOnly; Secure"
    ],
    "transaction.request.body": [
      ""
    ],
    "transaction.request.headers.sec-fetch-mode": [
      "navigate"
    ],
    "transaction.messages.details.accuracy": [
      "0",
      "0"
    ],
    "log.offset": [
      0
    ],
    "agent.hostname": [
      "siem"
    ],
    "transaction.host_port": [
      443
    ],
    "transaction.messages.details.maturity": [
      "0",
      "0"
    ],
    "transaction.response.headers.X-Powered-By": [
      "ASP.NET"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "agent.id": [
      "e4753373-f3ff-4fd4-9304-92f7c333f887"
    ],
    "transaction.request.headers.host": [
      "www.xxxxx.in"
    ],
    "ecs.version": [
      "1.12.0"
    ],
    "host.containerized": [
      false
    ],
    "agent.version": [
      "7.17.4"
    ],
    "host.os.family": [
      "debian"
    ],
    "transaction.request.headers.accept-language": [
      "en-US,en;q=0.9,mr;q=0.8"
    ],
    "transaction.response.body": [
      "▒▒\u0007"
    ],
    "transaction.producer.connector": [
      "ModSecurity-nginx v1.0.1"
    ],
    "transaction.client_port": [
      22530
    ],
    "transaction.request.headers.accept": [
      "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
    ],
    "transaction.client_ip": [
      "1.38.140.197"
    ],
    "transaction.producer.components": [
      "OWASP_CRS/3.3.0\""
    ],
    "transaction.response.headers.Strict-Transport-Security": [
      "max-age=31536000; includeSubDomains"
    ],
    "transaction.response.headers.Content-Length": [
      "7698"
    ],
    "transaction.response.headers.Referrer-Policy": [
      "no-referrer-when-downgrade"
    ],
    "transaction.response.headers.Content-Encoding": [
      "br"
    ],
    "transaction.messages.details.lineNumber": [
      "83",
      "68"
    ],
    "transaction.response.headers.Accept-Ranges": [
      "bytes"
    ],
    "host.ip": [
      "192.168.5.110",
      "2405:201:28:4bb6:20c:29ff:fe04:a164",
      "fe80::20c:29ff:fe04:a164"
    ],
    "transaction.response.headers.Vary": [
      "Accept-Encoding"
    ],
    "transaction.messages.details.match": [
      "Matched \"Operator `Rx' with parameter `(?:\\x1f\\x8b\\x08|\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b|^wOF[F2])' against variable `RESPONSE_BODY' (Value: `\\x8b\\xff\\x07\\x00\\x80\\xaa\\xaa\\xaa\\xea\\xff,\\x06`\\x87\\xbb\\xa6\\x06@\\\\xca\\xcd\\xcd=3+\\xab2]U\\xab==,\\xa2\\x1 (22094 characters omitted)' )",
      "Matched \"Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' )"
    ],
    "agent.type": [
      "filebeat"
    ],
    "host.os.kernel": [
      "5.4.0-110-generic"
    ],
    "transaction.messages.details.data": [
      "Matched Data: <? found within RESPONSE_BODY: ▒▒\u0007",
      ""
    ],
    "transaction.request.headers.sec-ch-ua-mobile": [
      "?0"
    ],
    "transaction.request.http_version": [
      2
    ],
    "host.id": [
      "5cf1cb0c8ad649e3b847c7f5324c28cb"
    ],
    "transaction.request.headers.sec-ch-ua-platform": [
      "\"Windows\""
    ],
    "transaction.request.headers.referer": [
      "https://www.xxxxx.in/become_partner.html"
    ],
    "transaction.messages.details.ver": [
      "OWASP_CRS/3.3.0",
      "OWASP_CRS/3.3.0"
    ],
    "transaction.messages.details.rev": [
      "",
      ""
    ],
    "transaction.request.headers.accept-encoding": [
      "gzip, deflate, br"
    ],
    "transaction.request.headers.user-agent": [
      "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36"
    ],
    "fields.type": [
      "waf"
    ],
    "host.os.codename": [
      "focal"
    ],
    "transaction.response.headers.Date": [
      "Fri, 24 Jun 2022 12:42:43 GMT"
    ],
    "transaction.messages.details.severity": [
      "3",
      "0"
    ],
    "transaction.response.headers.Server": [
      "applox-waf"
    ],
    "@timestamp": [
      "2022-06-26T03:47:14.122Z"
    ],
    "transaction.messages.details.reference": [
      "o4829,2v722,7698v722,7698",
      ""
    ],
    "transaction.producer.modsecurity": [
      "ModSecurity v3.0.4 (Linux)"
    ],
    "host.os.platform": [
      "ubuntu"
    ],
    "transaction.response.http_code": [
      403
    ],
    "log.file.path": [
      "/var/log/modsec/modsec_audit.log"
    ],
    "transaction.host_ip": [
      "1.2.3.4"
    ],
    "agent.ephemeral_id": [
      "3d09e9b8-47c1-4eaa-9294-8a88bfd6c369"
    ],
    "transaction.response.headers.X-Content-Type-Options": [
      "nosniff"
    ],
    "transaction.response.headers.Connection": [
      "close"
    ],
    "transaction.response.headers.X-Frame-Options": [
      "SAMEORIGIN"
    ]
  }
}

system · July 24, 2022, 5:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat to parse modsecurity json logs Beats filebeat	9	7062	July 19, 2018
[Solved] Decoding multiline JSON log file in v.6.6 Beats filebeat	2	899	April 16, 2019
How can I parser json log with uncertain fields? Beats filebeat	7	507	September 3, 2019
Parsing JSON format with filebeat Beats filebeat	5	30	November 20, 2024
Decoding json data under custom field Beats filebeat	3	425	December 18, 2018

Decoding json fields properly with filebeat

Related topics