Hi team,
First of all thanks for this awesome tool. I have a problem:
I'm trying to send Modsecurity's (JSON) logs to Elasticsearch through Filebeat and Logstash.
Log example:
{
...
"audit_data":{
"messages":[
"Warning. detected SQLi using libinjection with fingerprint 's&1c' [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"66\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&1c found within ARGS:username: test@test.it' OR 1=1 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"]",
"Warning. detected SQLi using libinjection with fingerprint 's&1c' [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"66\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&1c found within ARGS:password: password' OR 1 = 1 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"]",
"Warning. Operator GE matched 5 at TX:anomaly_score. [file \"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"91\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [severity \"CRITICAL\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"]",
"Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"86\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0\"] [tag \"event-correlation\"]"
],
"error_messages":[
"[file \"apache2_util.c\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 's&1c' [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"66\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&1c found within ARGS:username: test@test.it' OR 1=1 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"] [hostname \"localhost\"] [uri \"/tecnologie-web/Progetto/php/ajax/userManager.php\"] [unique_id \"XVgURKQ96dKvEiKPlPz8iAAAAAo\"]",
"[file \"apache2_util.c\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 's&1c' [file \"/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"66\"] [id \"942100\"] [msg \"SQL Injection Attack Detected via libinjection\"] [data \"Matched Data: s&1c found within ARGS:password: password' OR 1 = 1 -- \"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.1.0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-sqli\"] [tag \"OWASP_CRS/WEB_ATTACK/SQL_INJECTION\"] [tag \"WASCTC/WASC-19\"] [tag \"OWASP_TOP_10/A1\"] [tag \"OWASP_AppSensor/CIE1\"] [tag \"PCI/6.5.2\"] [hostname \"localhost\"] [uri \"/tecnologie-web/Progetto/php/ajax/userManager.php\"] [unique_id \"XVgURKQ96dKvEiKPlPz8iAAAAAo\"]",
"[file \"apache2_util.c\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file \"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"91\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [severity \"CRITICAL\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"localhost\"] [uri \"/tecnologie-web/Progetto/php/ajax/userManager.php\"] [unique_id \"XVgURKQ96dKvEiKPlPz8iAAAAAo\"]",
"[file \"apache2_util.c\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"86\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 10, 0, 0, 0\"] [tag \"event-correlation\"] [hostname \"localhost\"] [uri \"/tecnologie-web/Progetto/php/ajax/userManager.php\"] [unique_id \"XVgURKQ96dKvEiKPlPz8iAAAAAo\"]"
],
"handler":"application/x-httpd-php",
"stopwatch":{
"p1":414,
"p2":4877,
"p3":90,
"p4":159,
"p5":255,
"sr":8,
"sw":0,
"l":0,
"gc":0
},
"response_body_dechunked":true,
"producer":[
"ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/)",
"OWASP_CRS/3.1.0"
],
"server":"Apache/2.4.29 (Ubuntu)",
"engine_mode":"DETECTION_ONLY"
}
}
now, i tryed to get for each audit_data.messages throught the following filter:
filter {
grok {
match => { "audit_data.messages" => "ARGS:%{DATA}: %{DATA:m_data} \\\"]"}
tag_on_failure => ["on_no_grok_fail"]
}
}
but it fails every time...
What i've done wrong?
thanks in advance for any help guys!