Modsecurity Log Grok Filter

I make grok filter with this condition but noting show anything on grok debugger. Log format is Modsecurity audit log
(?%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) [%{LOGLEVEL:severity}] %{POSINT:pid}#%{NUMBER:threadid}: *%{NUMBER:connectionid} %{GREEDYDATA:attack}, client: %{IP:client}, server: %{GREEDYDATA:server}"}

Showing an example of that would be helpful to match it with your grok.

---vnLs12ze---A--
[14/Nov/2020:09:36:42 +0700] 1605321402 192.168.101.254 53704 192.168.223.22 443
---vnLs12ze---B--
GET /favicon.ico HTTP/1.1
Host: opr.pt-ssss.com
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Referer: https://opr.pt-ssss.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%22
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

---vnLs12ze---D--

---vnLs12ze---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx/1.19.2</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---vnLs12ze---F--
HTTP/1.1 403
Server: nginx/1.19.2
Date: Sat, 14 Nov 2020 02:36:42 GMT
Content-Length: 555
Content-Type: text/html
Connection: keep-alive
Strict-Transport-Security: max-age=63072000

---vnLs12ze---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<script[^>]*>[\s\S]*?' against variable `REQUEST_HEADERS:Referer' (Value: `https://opr.pt-ssss.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%22' ) [file "/usr/local/nginx/conf/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "68"] [id "941110"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within REQUEST_HEADERS:Referer: https://opr.pt-ssss.com/?q="><script>alert(1)</script>""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "192.168.223.22"] [uri "/favicon.ico"] [unique_id "1605321402"] [ref "o29,8v341,69t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3146 characters omitted)' against variable `REQUEST_HEADERS:Referer' (Value: `https://opr.pt-ssss.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%22' ) [file "/usr/local/nginx/conf/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "205"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within REQUEST_HEADERS:Referer: https://opr.pt-ssss.com/?q="><script>alert(1)</script>""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "192.168.223.22"] [uri "/favicon.ico"] [unique_id "1605321402"] [ref "o29,7v341,69t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/local/nginx/conf/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.223.22"] [uri "/favicon.ico"] [unique_id "1605321402"] [ref ""]

---vnLs12ze---I--

---vnLs12ze---J--

---vnLs12ze---Z--       

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

ok sorry, i was format my code in question

1 Like

Thanks!

Just to be clear, that entire block of code above is one log entry?

yes is one log entry

Yikes, that's pretty unfriendly.

Ok you will need to use a multiline codec on your input to create a single line entry you can more easily grok. You should be able to match that on the ---vnLs12ze---Z-- pattern, as it seems to repeat (bar the last letter).

this is on json format

{"transaction":{"client_ip":"192.168.101.85","time_stamp":"Fri Nov 20 09:46:01 2020","server_id":"5dc7f7ecb861cb00b5644894e1ab67235e99ba3c","client_port":49738,"host_ip":"192.168.75.22","host_port":443,"unique_id":"1605840361","request":{"method":"GET","http_version":1.1,"uri":"/favicon.ico","headers":{"Host":"sample.domain.com","Sec-Fetch-Mode":"no-cors","Sec-Fetch-Dest":"image","Connection":"keep-alive","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36","Accept":"image/avif,image/webp,image/apng,image/*,*/*;q=0.8","Sec-Fetch-Site":"same-origin","Referer":"https://sample.domain.com/?q=%22%3E%3Cscript%3Ealert(1fffsadasccc)%3C/script%3E%22","Accept-Encoding":"gzip, deflate, br","Accept-Language":"en-GB,en-US;q=0.9,en;q=0.8"}},"response":{"body":"<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.19.2</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n","http_code":403,"headers":{"Server":"nginx/1.19.2","Date":"Fri, 20 Nov 2020 02:46:01 GMT","Content-Length":"555","Content-Type":"text/html","Connection":"keep-alive","Strict-Transport-Security":"max-age=63072000"}},"producer":{"modsecurity":"ModSecurity v3.0.4 (Linux)","connector":"ModSecurity-nginx v1.0.1","secrules_engine":"Enabled","components":["OWASP_CRS/3.2.0\""]},"messages":[{"message":"XSS Filter - Category 1: Script Tag Vector","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)<script[^>]*>[\\s\\S]*?' against variable `REQUEST_HEADERS:Referer' (Value: `https://sample.domain.com/?q=%22%3E%3Cscript%3Ealert(1fffsadasccc)%3C/script%3E%22' )","reference":"o29,8v341,80t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls","ruleId":"941110","file":"/usr/local/nginx/conf/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf","lineNumber":"68","data":"Matched Data: <script> found within REQUEST_HEADERS:Referer: https://sample.domain.com/?q=\"><script>alert(1fffsadasccc)</script>\"","severity":"2","ver":"OWASP_CRS/3.2.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-xss","paranoia-level/1","OWASP_CRS","OWASP_CRS/WEB_ATTACK/XSS","WASCTC/WASC-8","WASCTC/WASC-22","OWASP_TOP_10/A3","OWASP_AppSensor/IE1","CAPEC-242"],"maturity":"0","accuracy":"0"}},{"message":"NoScript XSS InjectionChecker: HTML Injection","details":{"match":"Matched \"Operator `Rx' with parameter `(?i:(?:<\\w[\\s\\S]*[\\s\\/]|['\\\"](?:[\\s\\S]*[\\s\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3146 characters omitted)' against variable `REQUEST_HEADERS:Referer' (Value: `https://sample.domain.com/?q=%22%3E%3Cscript%3Ealert(1fffsadasccc)%3C/script%3E%22' )","reference":"o29,7v341,80t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls","ruleId":"941160","file":"/usr/local/nginx/conf/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf","lineNumber":"205","data":"Matched Data: <script found within REQUEST_HEADERS:Referer: https://sample.domain.com/?q=\"><script>alert(1fffsadasccc)</script>\"","severity":"2","ver":"OWASP_CRS/3.2.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-xss","paranoia-level/1","OWASP_CRS","OWASP_CRS/WEB_ATTACK/XSS","WASCTC/WASC-8","WASCTC/WASC-22","OWASP_TOP_10/A3","OWASP_AppSensor/IE1","CAPEC-242"],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 10)","details":{"match":"Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' )","reference":"","ruleId":"949110","file":"/usr/local/nginx/conf/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"80","data":"","severity":"2","ver":"OWASP_CRS/3.2.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-generic"],"maturity":"0","accuracy":"0"}}]}}

Oh, so you can make it a json format too? That's heaps easier as you can just use the json codec!

ok thanks for your help. I will try