Parser for Modsecurity logs?


(R) #1

Hi Guys,

Does any one have a parser or logstash configuration file built for modsecurity logs which is a open source WAF

These are the sample modsec logs

2017/09/15 06:07:57 [info] 43541#43541: 5 [client 192.168.1.50] ModSecurity: Warning. Matched "Operator Rx' with parameter(?i)<[^\w<>](?:[^<>"'\s]:)?[^\w<>](?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o (3246 characters omitted)' against variable ARGS:param' (Value:">' ) [file "/usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "225"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:param: ">"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [ref "o2,7o19,8v12,28t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"] [hostname "192.168.1.50"] [uri "/"] [unique_id "150547007770.152744"], client: 192.168.1.50, server: isn.net, request: "GET /?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1", host: "www.isn1.net"


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.