Hi,
I've got a json with an array inside. Based on another thread I've tried something with ruby to change the key names but it doesn't work.
"messages": [
{
"message": "XSS Attack Detected via libinjection",
"details": {
"data": "Matched Data: XSS data found within ARGS_NAMES: <?xml version",
"lineNumber": "37",
"file": "/usr/local/openresty/nginx/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
"reference": "v257,13t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls",
"tags": [
"application-multi",
"OWASP_AppSensor/IE1",
"CAPEC-242"
],
"ruleId": "941100",
"ver": "OWASP_CRS/3.2.0",
"severity": "2",
"rev": "",
"match": "detected XSS using libinjection.",
"accuracy": "0",
"maturity": "0"
}
},
{
"message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
"details": {
"data": "",
"lineNumber": "80",
"file": "/usr/local/openresty/nginx/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"tags": [
"application-multi",
"attack-generic"
],
"reference": "",
"ruleId": "949110",
"ver": "OWASP_CRS/3.2.0",
"severity": "2",
"rev": "",
"match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )",
"accuracy": "0",
"maturity": "0"
}
}
],
"user_agent": {
"original": "MauiBot (crawler.feedback+wc@gmail.com)",
"os_name": "Other",
"device": "Spider",
"os": "Other",
"build": "",
"name": "MauiBot"
},
"destination": {
"ip": "127.0.0.1",
"port": 80
}
I'd like to differentiate [messages][message] so I've used this code but it doesn't work:
filter {
if ([messages][message][0]) {
ruby {
code => '
c = event.get("messages")
if c
c.each_index { |x|
event.set("message-#{x}", c[x]["message"])
}
end
'
}
mutate {
add_field => {
"modsec_message" => "%{[messages][message][0]}"
}
}
}
}