search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 419 forks source link

Modsecurity 1.6.0 Grok errors in logs-modsecurity.auditlog-1.6.0-apache-modsec pipeline #5569

Open janniten opened 1 year ago

janniten commented 1 year ago

Hi, I'm using the modsecurity 1.6.0 integration and some logs are not properly parsed. (Audit logs are configured as it is explained in the documentation) I've modified the pipeline like this and seems not have further errors Replace this

      {
        "grok": {
          "field": "json.request.request_line",
          "patterns": [
            "%{NOTSPACE:http.request.method} %{URIPATHPARAM:url.original}(?: HTTP/%{NUMBER:http.version})"
          ]
        }
      }

For this

      {
        "grok": {
          "field": "json.request.request_line",
          "patterns": [
            "%{NOTSPACE:http.request.method} %{URIPATHPARAM:url.original}(?: HTTP/%{NUMBER:http.version})",
            "%{NOTSPACE:http.request.method} %{URI:url.original}(?: HTTP/%{NUMBER:http.version})",
            "%{NOTSPACE:http.request.method} %{URIHOST:url.original}(?: HTTP/%{NUMBER:http.version})",
            "%{GREEDYDATA:http.request.method}%{SPACE}HTTP/%{NUMBER:http.version}"
          ]
        }
      }

These are the errors I have so far error.message "Provided Grok expressions do not match field value: [CONNECT google.com:443 HTTP/1.1]" json.request.request_line "CONNECT google.com:443 HTTP/1.1" error.message "Provided Grok expressions do not match field value: [GET /Electron/download/windows/\Windows\win.ini HTTP/1.0] json.request.request_line "GET /Electron/download/windows/\Windows\win.ini HTTP/1.0" error.message "Provided Grok expressions do not match field value: [POST http://127.0.0.1/iControl/iControlPortal.cgi HTTP/1.1] json.request.request_line "POST http://127.0.0.1/iControl/iControlPortal.cgi HTTP/1.1" error.message "Provided Grok expressions do not match field value: [POST http://127.0.0.1/iControl/iControlPortal.cgi HTTP/1.1] json.request.request_line "POST http://127.0.0.1/iControl/iControlPortal.cgi HTTP/1.1" error.message Provided Grok expressions do not match field value: [GET /s6fzf2bt.x?<IMG%20SRC=\""""javascript:alert(cross_site_scripting.nasl)";"\""""> HTTP/1.1] json.request.request_line "GET /s6fzf2bt.x?<IMG%20SRC=""""javascript:alert(cross_site_scripting.nasl)";"> HTTP/1.1""" error.message Provided Grok expressions do not match field value: [GET https://site.ad/authentication/login/ HTTP/1.1] json.request.request_line "GET https://site.ad/authentication/login/ HTTP/1.1" error.message Provided Grok expressions do not match field value: [GET https://www.site.ad/ HTTP/1.1] json.request.request_line "GET https://www.site.ad/ HTTP/1.1"

Thanks! PS: I'm not attaching the complete event.original. Since it is an Audit log it has a lot of sensitive information, so I'm only putting the field that is parsed by the grok processor

botelastic[bot] commented 6 months ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

elasticmachine commented 4 weeks ago

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)