Hi,
I'm trying to parse with no success the modsecurity json log. This is the output:
{
"_index": "modsecurity-2021.03.17",
"_type": "_doc",
"_id": "oQRWQngB6w34lfYfAQp6",
"_version": 1,
"_score": null,
"_source": {
"@version": "1",
"path": "none",
"tags": [],
"@timestamp": "2021-03-17T22:37:15.747Z",
"host": "**************",
"transaction": {
"messages": [
{
"message": "HTTP Parameter Pollution (ARGS_NAMES)",
"details": {
"data": "Matched Data: TX:paramcounter_ARGS_NAMES found within MATCHED_VARS_NAMES:TX:paramcounter_ARGS_NAMES: TX:paramcounter_ARGS_NAMES",
"ver": "OWASP_CRS/3.3.0",
"maturity": "0",
"rev": "",
"accuracy": "0",
"match": "Matched \"Operator `Rx' with parameter `TX:paramcounter_(.*)' against variable `MATCHED_VARS_NAMES:TX:paramcounter_ARGS_NAMES' (Value: `TX:paramcounter_ARGS_NAMES' )",
"ruleId": "921180",
"file": "/usr/share/modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf",
"reference": "o0,26o16,10v544,26",
"lineNumber": "330",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"OWASP_CRS",
"capec/1000/152/137/15/460",
"paranoia-level/3"
],
"severity": "2"
}
},
{
"message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
"details": {
"data": "",
"ver": "OWASP_CRS/3.3.0",
"maturity": "0",
"rev": "",
"accuracy": "0",
"match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )",
"ruleId": "949110",
"file": "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"reference": "",
"lineNumber": "138",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-generic"
],
"severity": "2"
}
},
{
"message": "The Application Returned a 500-Level Status Code",
"details": {
"data": "Matched Data: 503 found within RESPONSE_STATUS",
"ver": "OWASP_CRS/3.3.0",
"maturity": "0",
"rev": "",
"accuracy": "0",
"match": "Matched \"Operator `Rx' with parameter `^5\\d{2}$' against variable `RESPONSE_STATUS' (Value: `503' )",
"ruleId": "950100",
"file": "/usr/share/modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf",
"reference": "o0,3v544,3v544,3",
"lineNumber": "96",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-disclosure",
"PCI/6.5.6",
"paranoia-level/2",
"OWASP_CRS",
"capec/1000/152"
],
"severity": "3"
}
},
{
"message": "Outbound Anomaly Score Exceeded (Total Score: 4)",
"details": {
"data": "",
"ver": "OWASP_CRS/3.3.0",
"maturity": "0",
"rev": "",
"accuracy": "0",
"match": "Matched \"Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' )",
"ruleId": "959100",
"file": "/usr/share/modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf",
"reference": "",
"lineNumber": "128",
"tags": [
"anomaly-evaluation"
],
"severity": "0"
}
}
],
"host_port": 80,
"unique_id": "1615466172",
"server_id": "30f8d8e5499258cee7faa1a3490f04a35729b37c",
"request": {
"method": "GET",
"uri": "/o/frontend-css-web/main.css?browserId=firefox&themeId=classic_WAR_classictheme&minifierType=css&languageId=en_US&b=7102&t=1546901591742",
"headers": {
"Host": "*******************",
"Accept": "text/css,*/*;q=0.1",
"Connection": "keep-alive",
"Referer": "http://*********************/",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0",
"Cookie": "JSESSIONID=3C9F859C4DBC0C73164DBDE0CF202969; COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US"
},
"http_version": 1.1
},
"response": {
"headers": {
"Date": "Thu, 11 Mar 2021 12:36:12 GMT",
"Connection": "keep-alive",
"Server": "nginx/1.18.0",
"Content-Length": "206",
"Content-Type": "text/html"
},
"body": "<html>\r\n<head><title>503 Service Temporarily Unavailable</title></head>\r\n<body>\r\n<center><h1>503 Service Temporarily Unavailable</h1></center>\r\n<hr><center>nginx/1.18.0 (Ubuntu)</center>\r\n</body>\r\n</html>\r\n",
"http_code": 403
},
"client_port": 64900,
"producer": {
"components": [
"OWASP_CRS/3.3.0\""
],
"secrules_engine": "Enabled",
"modsecurity": "ModSecurity v3.0.4 (Linux)",
"connector": "ModSecurity-nginx v1.0.1"
},
"client_ip": "****************",
"time_stamp": "Thu Mar 11 13:36:12 2021",
"host_ip": "******************"
}
},
"fields": {
"@timestamp": [
"2021-03-17T22:37:15.747Z"
]
},
"sort": [
1616020635747
]
}
The problem is related to what's inside the square brackets "messages: " : I've no idea how to manage this array. I've read another post about using the foreach ingest processor, but I haven't found a way to solve this thing.
This is the output in kibana
Any idea?
thanks