My nested json is not getting parsed correctly, need help pls

Blason · April 3, 2020, 3:59am

Hi Folks,

Pertaining to my other thread I am trying to parse my below message with logstash however this is somehow is not happening. Can someone pls help me sorting out the issue pls? Or Any hint is really appreciated.

Here is my original message -

{"transaction":{"client_ip":"192.168.5.76","time_stamp":"Thu Apr  2 15:16:01 2020","server_id":"023a162ad8c7afb2e1d2db424a6741ad78f46987","client_port":59975,"host_ip":"192.168.5.181","host_port":80,"unique_id":"158582076134.389397","request":{"method":"GET","http_version":1.1,"uri":"/testing/test?=../../../nahi/chalatay.shell","headers":{"Host":"192.168.5.181","Connection":"keep-alive","DNT":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36","Upgrade-Insecure-Requests":"1","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Accept-Encoding":"gzip, deflate","Accept-Language":"en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7"}},"response":{"body":"<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.17.9</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n","http_code":403,"headers":{"Server":"nginx/1.17.9","Date":"Thu, 02 Apr 2020 09:46:01 GMT","Content-Length":"555","Content-Type":"text/html","Connection":"keep-alive"}},"producer":{"modsecurity":"ModSecurity v3.0.4 (Linux)","connector":"ModSecurity-nginx v1.0.1","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `192.168.5.181' )","reference":"o0,13v63,13","ruleId":"920350","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"777","data":"192.168.5.181","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}},{"message":"Path Traversal Attack (/../)","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5 (400 characters omitted)' against variable `REQUEST_URI_RAW' (Value: `/testing/test?=../../../nahi/chalatay.shell' )","reference":"o17,4v4,43","ruleId":"930100","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf","lineNumber":"29","data":"Matched Data: /../ found within REQUEST_URI_RAW: /testing/test?=../../../nahi/chalatay.shell","severity":"2","ver":"OWASP_CRS/3.0.0","rev":"3","tags":["application-multi","language-multi","platform-multi","attack-lfi","OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"],"maturity":"9","accuracy":"7"}},{"message":"Path Traversal Attack (/../)","details":{"match":"Matched \"Operator `Pm' with parameter `..\\ ../' against variable `REQUEST_URI' (Value: `/testing/test?=../../../nahi/chalatay.shell' )","reference":"o15,3v4,43","ruleId":"930110","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf","lineNumber":"55","data":"Matched Data: ../ found within REQUEST_URI: /testing/test?=../../../nahi/chalatay.shell","severity":"2","ver":"OWASP_CRS/3.0.0","rev":"1","tags":[],"maturity":"9","accuracy":"7"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 13)","details":{"match":"Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' )","reference":"","ruleId":"949110","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"44","data":"","severity":"2","ver":"","rev":"","tags":["application-multi","language-multi","platform-multi","attack-generic"],"maturity":"0","accuracy":"0"}}]}}

And this is how it is appearing in Kibana

{
  "_index": "logstash-2020.04.01-000001",
  "_type": "_doc",
  "_id": "pjAKOnEBYWrV-uU8_pzH",
  "_version": 1,
  "_score": null,
  "_source": {
    "path": "/var/log/modsec_audit.log",
    "type": "json",
    "@timestamp": "2020-04-02T08:38:51.205Z",
    "@version": "1",
    "host": "gw",
    "tags": [
      "_jsonparsefailure"
    ],
    "transaction": {
      "producer": {
        "modsecurity": "ModSecurity v3.0.4 (Linux)",
        "secrules_engine": "Enabled",
        "components": [
          "OWASP_CRS/3.0.2\""
        ],
        "connector": "ModSecurity-nginx v1.0.1"
      },
      "client_ip": "192.168.5.76",
      "host_port": 80,
      "response": {
        "body": "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.17.9</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
        "http_code": 403,
        "headers": {
          "Content-Length": "555",
          "Date": "Thu, 02 Apr 2020 08:38:50 GMT",
          "Content-Type": "text/html",
          "Connection": "keep-alive",
          "Server": "nginx/1.17.9"
        }
      },
      "request": {
        "uri": "/submit?checking=../../../var/log",
        "http_version": 1.1,
        "headers": {
          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
          "Connection": "keep-alive",
          "Host": "192.168.5.181",
          "Upgrade-Insecure-Requests": "1",
          "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
          "Accept-Encoding": "gzip, deflate",
          "Accept-Language": "en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7",
          "DNT": "1"
        },
        "method": "GET"
      },
      "host_ip": "192.168.5.181",
      "time_stamp": "Thu Apr  2 14:08:50 2020",
      "server_id": "023a162ad8c7afb2e1d2db424a6741ad78f46987",
      "unique_id": "158581673013.574062",
      "messages": [
        {
          "message": "Host header is a numeric IP address",
          "details": {
            "tags": [
              "application-multi",
              "language-multi",
              "platform-multi",
              "attack-protocol",
              "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST",
              "WASCTC/WASC-21",
              "OWASP_TOP_10/A7",
              "PCI/6.5.10"
            ],
            "file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
            "match": "Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `192.168.5.181' )",
            "ruleId": "920350",
            "rev": "2",
            "severity": "4",
            "accuracy": "9",
            "reference": "o0,13v53,13",
            "lineNumber": "777",
            "maturity": "9",
            "data": "192.168.5.181",
            "ver": "OWASP_CRS/3.0.0"
          }
        },
        {
          "message": "Path Traversal Attack (/../)",
          "details": {
            "tags": [
              "application-multi",
              "language-multi",
              "platform-multi",
              "attack-lfi",
              "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"
            ],
            "file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf",
            "match": "Matched \"Operator `Rx' with parameter `(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5 (400 characters omitted)' against variable `REQUEST_URI_RAW' (Value: `/submit?checking=../../../var/log' )",
            "ruleId": "930100",
            "rev": "3",
            "severity": "2",
            "accuracy": "7",
            "reference": "o19,4v4,33",
            "lineNumber": "29",
            "maturity": "9",
            "data": "Matched Data: /../ found within REQUEST_URI_RAW: /submit?checking=../../../var/log",
            "ver": "OWASP_CRS/3.0.0"
          }
        },
        {
          "message": "Path Traversal Attack (/../)",
          "details": {
            "tags": [],
            "file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf",
            "match": "Matched \"Operator `Pm' with parameter `..\\ ../' against variable `REQUEST_URI' (Value: `/submit?checking=../../../var/log' )",
            "ruleId": "930110",
            "rev": "1",
            "severity": "2",
            "accuracy": "7",
            "reference": "o17,3v4,33",
            "lineNumber": "55",
            "maturity": "9",
            "data": "Matched Data: ../ found within REQUEST_URI: /submit?checking=../../../var/log",
            "ver": "OWASP_CRS/3.0.0"
          }
        },
        {
          "message": "Inbound Anomaly Score Exceeded (Total Score: 13)",
          "details": {
            "tags": [
              "application-multi",
              "language-multi",
              "platform-multi",
              "attack-generic"
            ],
            "file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
            "match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' )",
            "ruleId": "949110",
            "rev": "",
            "severity": "2",
            "accuracy": "0",
            "reference": "",
            "lineNumber": "44",
            "maturity": "0",
            "data": "",
            "ver": ""
          }
        }
      ],
      "client_port": 59035
    }
  },
  "fields": {
    "@timestamp": [
      "2020-04-02T08:38:51.205Z"
    ]
  },
  "sort": [
    1585816731205
  ]
}

So the message is not getting parsed after [transaction][messages]

Badger · April 3, 2020, 1:56pm

It is completely unclear what you think is wrong with the parsed JSON.

Blason · April 4, 2020, 4:33am

I am sorry if that didnt clear out the issues. The message is not being parsed after [transaction][messages].

I want messages to be parsed after that. Would split help me here?

Badger · April 4, 2020, 1:58pm

They are being parsed. [transaction][messages] is an array, so it will appear in Kibana as a single field. Yes, doing a split on [transation][messages] might help if you are OK with having one event for each message.

system · May 2, 2020, 1:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.