Hi Folks,
Pertaining to my other thread I am trying to parse my below message with logstash however this is somehow is not happening. Can someone pls help me sorting out the issue pls? Or Any hint is really appreciated.
Here is my original message -
{"transaction":{"client_ip":"192.168.5.76","time_stamp":"Thu Apr 2 15:16:01 2020","server_id":"023a162ad8c7afb2e1d2db424a6741ad78f46987","client_port":59975,"host_ip":"192.168.5.181","host_port":80,"unique_id":"158582076134.389397","request":{"method":"GET","http_version":1.1,"uri":"/testing/test?=../../../nahi/chalatay.shell","headers":{"Host":"192.168.5.181","Connection":"keep-alive","DNT":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36","Upgrade-Insecure-Requests":"1","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Accept-Encoding":"gzip, deflate","Accept-Language":"en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7"}},"response":{"body":"<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.17.9</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n","http_code":403,"headers":{"Server":"nginx/1.17.9","Date":"Thu, 02 Apr 2020 09:46:01 GMT","Content-Length":"555","Content-Type":"text/html","Connection":"keep-alive"}},"producer":{"modsecurity":"ModSecurity v3.0.4 (Linux)","connector":"ModSecurity-nginx v1.0.1","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `192.168.5.181' )","reference":"o0,13v63,13","ruleId":"920350","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"777","data":"192.168.5.181","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}},{"message":"Path Traversal Attack (/../)","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5 (400 characters omitted)' against variable `REQUEST_URI_RAW' (Value: `/testing/test?=../../../nahi/chalatay.shell' )","reference":"o17,4v4,43","ruleId":"930100","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf","lineNumber":"29","data":"Matched Data: /../ found within REQUEST_URI_RAW: /testing/test?=../../../nahi/chalatay.shell","severity":"2","ver":"OWASP_CRS/3.0.0","rev":"3","tags":["application-multi","language-multi","platform-multi","attack-lfi","OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"],"maturity":"9","accuracy":"7"}},{"message":"Path Traversal Attack (/../)","details":{"match":"Matched \"Operator `Pm' with parameter `..\\ ../' against variable `REQUEST_URI' (Value: `/testing/test?=../../../nahi/chalatay.shell' )","reference":"o15,3v4,43","ruleId":"930110","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf","lineNumber":"55","data":"Matched Data: ../ found within REQUEST_URI: /testing/test?=../../../nahi/chalatay.shell","severity":"2","ver":"OWASP_CRS/3.0.0","rev":"1","tags":[],"maturity":"9","accuracy":"7"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 13)","details":{"match":"Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' )","reference":"","ruleId":"949110","file":"/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"44","data":"","severity":"2","ver":"","rev":"","tags":["application-multi","language-multi","platform-multi","attack-generic"],"maturity":"0","accuracy":"0"}}]}}
And this is how it is appearing in Kibana
{
"_index": "logstash-2020.04.01-000001",
"_type": "_doc",
"_id": "pjAKOnEBYWrV-uU8_pzH",
"_version": 1,
"_score": null,
"_source": {
"path": "/var/log/modsec_audit.log",
"type": "json",
"@timestamp": "2020-04-02T08:38:51.205Z",
"@version": "1",
"host": "gw",
"tags": [
"_jsonparsefailure"
],
"transaction": {
"producer": {
"modsecurity": "ModSecurity v3.0.4 (Linux)",
"secrules_engine": "Enabled",
"components": [
"OWASP_CRS/3.0.2\""
],
"connector": "ModSecurity-nginx v1.0.1"
},
"client_ip": "192.168.5.76",
"host_port": 80,
"response": {
"body": "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.17.9</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
"http_code": 403,
"headers": {
"Content-Length": "555",
"Date": "Thu, 02 Apr 2020 08:38:50 GMT",
"Content-Type": "text/html",
"Connection": "keep-alive",
"Server": "nginx/1.17.9"
}
},
"request": {
"uri": "/submit?checking=../../../var/log",
"http_version": 1.1,
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
"Connection": "keep-alive",
"Host": "192.168.5.181",
"Upgrade-Insecure-Requests": "1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7",
"DNT": "1"
},
"method": "GET"
},
"host_ip": "192.168.5.181",
"time_stamp": "Thu Apr 2 14:08:50 2020",
"server_id": "023a162ad8c7afb2e1d2db424a6741ad78f46987",
"unique_id": "158581673013.574062",
"messages": [
{
"message": "Host header is a numeric IP address",
"details": {
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST",
"WASCTC/WASC-21",
"OWASP_TOP_10/A7",
"PCI/6.5.10"
],
"file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"match": "Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `192.168.5.181' )",
"ruleId": "920350",
"rev": "2",
"severity": "4",
"accuracy": "9",
"reference": "o0,13v53,13",
"lineNumber": "777",
"maturity": "9",
"data": "192.168.5.181",
"ver": "OWASP_CRS/3.0.0"
}
},
{
"message": "Path Traversal Attack (/../)",
"details": {
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-lfi",
"OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"
],
"file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf",
"match": "Matched \"Operator `Rx' with parameter `(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5 (400 characters omitted)' against variable `REQUEST_URI_RAW' (Value: `/submit?checking=../../../var/log' )",
"ruleId": "930100",
"rev": "3",
"severity": "2",
"accuracy": "7",
"reference": "o19,4v4,33",
"lineNumber": "29",
"maturity": "9",
"data": "Matched Data: /../ found within REQUEST_URI_RAW: /submit?checking=../../../var/log",
"ver": "OWASP_CRS/3.0.0"
}
},
{
"message": "Path Traversal Attack (/../)",
"details": {
"tags": [],
"file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf",
"match": "Matched \"Operator `Pm' with parameter `..\\ ../' against variable `REQUEST_URI' (Value: `/submit?checking=../../../var/log' )",
"ruleId": "930110",
"rev": "1",
"severity": "2",
"accuracy": "7",
"reference": "o17,3v4,33",
"lineNumber": "55",
"maturity": "9",
"data": "Matched Data: ../ found within REQUEST_URI: /submit?checking=../../../var/log",
"ver": "OWASP_CRS/3.0.0"
}
},
{
"message": "Inbound Anomaly Score Exceeded (Total Score: 13)",
"details": {
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-generic"
],
"file": "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' )",
"ruleId": "949110",
"rev": "",
"severity": "2",
"accuracy": "0",
"reference": "",
"lineNumber": "44",
"maturity": "0",
"data": "",
"ver": ""
}
}
],
"client_port": 59035
}
},
"fields": {
"@timestamp": [
"2020-04-02T08:38:51.205Z"
]
},
"sort": [
1585816731205
]
}
So the message is not getting parsed after [transaction][messages]