elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Closed ebeahan closed 1 year ago
elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Attempting to ingest
modsecurity.auditlogdata stream events causes parsing exceptions when running the system tests:Full failure details
``` --- Test results for package: modsecurity - START --- FAILURE DETAILS: modsecurity/auditlog (elastic-agent logs): [0] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 14, 17, 42, 29, 982343512, time.Local), Meta:{\"input_id\":\"logfile-modsec-ceeb27d0-0ada-11ee-a5df-f33f6f20f37d\",\"raw_index\":\"logs-modsecurity.auditlog-ep\",\"stream_id\":\"logfile-modsecurity.auditlog-ceeb27d0-0ada-11ee-a5df-f33f6f20f37d\"}, Fields:{\"_conf\":{\"tz_offset\":\"local\"},\"agent\":{\"ephemeral_id\":\"7bf6a119-9502-4cb9-a16a-e2664693beef\",\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"modsecurity.auditlog\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"modsecurity.auditlog\",\"timezone\":\"+00:00\"},\"host\":{\"architecture\":\"aarch64\",\"containerized\":false,\"hostname\":\"docker-fleet-agent\",\"id\":\"d08b346fbb8f49f5a2bb1a477f8ceb54\",\"ip\":[\"172.21.0.7\"],\"mac\":[\"02-42-AC-15-00-07\"],\"name\":\"docker-fleet-agent\",\"os\":{\"codename\":\"focal\",\"family\":\"debian\",\"kernel\":\"5.15.49-linuxkit\",\"name\":\"Ubuntu\",\"platform\":\"ubuntu\",\"type\":\"linux\",\"version\":\"20.04.6 LTS (Focal Fossa)\"}},\"input\":{\"type\":\"log\"},\"log\":{\"file\":{\"path\":\"/tmp/service_logs/modsec-audit.log\"},\"offset\":22937},\"message\":\"{\\\"transaction\\\":{\\\"time\\\":\\\"23/May/2022:06:28:50 +0000\\\",\\\"transaction_id\\\":\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\",\\\"remote_address\\\":\\\"127.0.0.1\\\",\\\"remote_port\\\":43790,\\\"local_address\\\":\\\"127.0.0.1\\\",\\\"local_port\\\":80},\\\"request\\\":{\\\"request_line\\\":\\\"GET /index.php?exec=/bin/bash HTTP/1.1\\\",\\\"headers\\\":{\\\"Host\\\":\\\"localhost\\\",\\\"User-Agent\\\":\\\"curl/7.58.0\\\",\\\"Accept\\\":\\\"*/*\\\"}},\\\"response\\\":{\\\"protocol\\\":\\\"HTTP/1.1\\\",\\\"status\\\":403,\\\"headers\\\":{\\\"Content-Length\\\":\\\"274\\\",\\\"Content-Type\\\":\\\"text/html; charset=iso-8859-1\\\"},\\\"body\\\":\\\"\\u003c!DOCTYPE HTML PUBLIC \\\\\\\"-//IETF//DTD HTML 2.0//EN\\\\\\\"\\u003e\\\\n\\u003chtml\\u003e\\u003chead\\u003e\\\\n\\u003ctitle\\u003e403 Forbidden\\u003c/title\\u003e\\\\n\\u003c/head\\u003e\\u003cbody\\u003e\\\\n\\u003ch1\\u003eForbidden\\u003c/h1\\u003e\\\\n\\u003cp\\u003eYou don't have permission to access this resource.\\u003c/p\\u003e\\\\n\\u003chr\\u003e\\\\n\\u003caddress\\u003eApache/2.4.29 (Ubuntu) Server at localhost Port 80\\u003c/address\\u003e\\\\n\\u003c/body\\u003e\\u003c/html\\u003e\\\\n\\\"},\\\"audit_data\\\":{\\\"messages\\\":[\\\"Warning. Matched phrase \\\\\\\"bin/bash\\\\\\\" at ARGS:exec. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\\\\\\\"] [line \\\\\\\"485\\\\\\\"] [id \\\\\\\"932160\\\\\\\"] [msg \\\\\\\"Remote Command Execution: Unix Shell Code Found\\\\\\\"] [data \\\\\\\"Matched Data: bin/bash found within ARGS:exec: /bin/bash\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-shell\\\\\\\"] [tag \\\\\\\"platform-unix\\\\\\\"] [tag \\\\\\\"attack-rce\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/88\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"]\\\",\\\"Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"184\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"anomaly-evaluation\\\\\\\"]\\\",\\\"Warning. Unconditional match in SecAction. [file \\\\\\\"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"96\\\\\\\"] [id \\\\\\\"980170\\\\\\\"] [msg \\\\\\\"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"reporting\\\\\\\"]\\\"],\\\"error_messages\\\":[\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. Matched phrase \\\\\\\"bin/bash\\\\\\\" at ARGS:exec. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\\\\\\\"] [line \\\\\\\"485\\\\\\\"] [id \\\\\\\"932160\\\\\\\"] [msg \\\\\\\"Remote Command Execution: Unix Shell Code Found\\\\\\\"] [data \\\\\\\"Matched Data: bin/bash found within ARGS:exec: /bin/bash\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-shell\\\\\\\"] [tag \\\\\\\"platform-unix\\\\\\\"] [tag \\\\\\\"attack-rce\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/88\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"] [hostname \\\\\\\"localhost\\\\\\\"] [uri \\\\\\\"/index.php\\\\\\\"] [unique_id \\\\\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"184\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"anomaly-evaluation\\\\\\\"] [hostname \\\\\\\"localhost\\\\\\\"] [uri \\\\\\\"/index.php\\\\\\\"] [unique_id \\\\\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. Unconditional match in SecAction. [file \\\\\\\"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"96\\\\\\\"] [id \\\\\\\"980170\\\\\\\"] [msg \\\\\\\"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"reporting\\\\\\\"] [hostname \\\\\\\"localhost\\\\\\\"] [uri \\\\\\\"/index.php\\\\\\\"] [unique_id \\\\\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\\\\\"]\\\"],\\\"action\\\":{\\\"intercepted\\\":true,\\\"phase\\\":2,\\\"message\\\":\\\"Operator GE matched 5 at TX:blocking_inbound_anomaly_score.\\\"},\\\"stopwatch\\\":{\\\"p1\\\":719,\\\"p2\\\":775,\\\"p3\\\":0,\\\"p4\\\":0,\\\"p5\\\":3321,\\\"sr\\\":29,\\\"sw\\\":1,\\\"l\\\":0,\\\"gc\\\":0},\\\"response_body_dechunked\\\":true,\\\"producer\\\":[\\\"ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/)\\\",\\\"OWASP_CRS/4.0.0-rc1\\\"],\\\"server\\\":\\\"Apache/2.4.29 (Ubuntu)\\\",\\\"engine_mode\\\":\\\"ENABLED\\\"}}\",\"tags\":[\"modsec-audit\"]}, Private:file.State{Id:\"native::2615-152\", PrevId:\"\", Finished:false, Fileinfo:(*os.fileStat)(0x40014412c0), Source:\"/tmp/service_logs/modsec-audit.log\", Offset:27248, Timestamp:time.Date(2023, time.June, 14, 17, 42, 29, 979257470, time.Local), TTL:-1, Type:\"log\", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0xa37, Device:0x98}, IdentifierName:\"native\"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:450] failed to parse field [modsec.audit.details] of type [flattened] in document with id 'hiwAu4gBS6EiBRyafC4L'. Preview of field's value: 'Warning. Matched phrase \\\"bin/bash\\\" at ARGS:exec. [file \\\"/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\\\"] [line \\\"485\\\"] [id \\\"932160\\\"] [msg \\\"Remote Command Execution: Unix Shell Code Found\\\"] [data \\\"Matched Data: bin/bash found within ARGS:exec: /bin/bash\\\"] [severity \\\"CRITICAL\\\"] [ver \\\"OWASP_CRS/4.0.0-rc1\\\"] [tag \\\"application-multi\\\"] [tag \\\"language-shell\\\"] [tag \\\"platform-unix\\\"] [tag \\\"attack-rce\\\"] [tag \\\"paranoia-level/1\\\"] [tag \\\"OWASP_CRS\\\"] [tag \\\"capec/1000/152/248/88\\\"] [tag \\\"PCI/6.5.2\\\"]'\",\"caused_by\":{\"type\":\"parsing_exception\",\"reason\":\"Failed to parse object: expecting token of type [START_OBJECT] but found [VALUE_STRING]\",\"line\":1,\"col\":450}}, dropping event!" [1] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 14, 17, 42, 29, 982409470, time.Local), Meta:{\"input_id\":\"logfile-modsec-ceeb27d0-0ada-11ee-a5df-f33f6f20f37d\",\"raw_index\":\"logs-modsecurity.auditlog-ep\",\"stream_id\":\"logfile-modsecurity.auditlog-ceeb27d0-0ada-11ee-a5df-f33f6f20f37d\"}, Fields:{\"_conf\":{\"tz_offset\":\"local\"},\"agent\":{\"ephemeral_id\":\"7bf6a119-9502-4cb9-a16a-e2664693beef\",\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"modsecurity.auditlog\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"modsecurity.auditlog\",\"timezone\":\"+00:00\"},\"host\":{\"architecture\":\"aarch64\",\"containerized\":false,\"hostname\":\"docker-fleet-agent\",\"id\":\"d08b346fbb8f49f5a2bb1a477f8ceb54\",\"ip\":[\"172.21.0.7\"],\"mac\":[\"02-42-AC-15-00-07\"],\"name\":\"docker-fleet-agent\",\"os\":{\"codename\":\"focal\",\"family\":\"debian\",\"kernel\":\"5.15.49-linuxkit\",\"name\":\"Ubuntu\",\"platform\":\"ubuntu\",\"type\":\"linux\",\"version\":\"20.04.6 LTS (Focal Fossa)\"}},\"input\":{\"type\":\"log\"},\"log\":{\"file\":{\"path\":\"/tmp/service_logs/modsec-audit.log\"},\"offset\":28461},\"message\":\"{\\\"transaction\\\":{\\\"time\\\":\\\"25/Mar/2022:11:15:35 +0100\\\",\\\"transaction_id\\\":\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\",\\\"remote_address\\\":\\\"89.160.20.112\\\",\\\"remote_port\\\":47461,\\\"local_address\\\":\\\"172.21.50.216\\\",\\\"local_port\\\":443},\\\"request\\\":{\\\"request_line\\\":\\\"GET /?id=3%20or%20%27a%27=%27a%27 HTTP/2.0\\\",\\\"headers\\\":{\\\"Upgrade-Insecure-Requests\\\":\\\"1\\\",\\\"User-Agent\\\":\\\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.15.2 Chrome/87.0.4280.144 Safari/537.36\\\",\\\"Accept\\\":\\\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\",\\\"Dnt\\\":\\\"1\\\",\\\"Accept-Language\\\":\\\"en-US,en;q=0.9\\\",\\\"Sec-Fetch-Site\\\":\\\"none\\\",\\\"Sec-Fetch-Mode\\\":\\\"navigate\\\",\\\"Sec-Fetch-User\\\":\\\"?1\\\",\\\"Sec-Fetch-Dest\\\":\\\"document\\\",\\\"Accept-Encoding\\\":\\\"gzip, deflate, br\\\",\\\"Host\\\":\\\"test.website.com\\\"}},\\\"response\\\":{\\\"protocol\\\":\\\"HTTP/1.1\\\",\\\"status\\\":403,\\\"headers\\\":{\\\"Strict-Transport-Security\\\":\\\"max-age=31536000; includeSubDomains\\\",\\\"Content-Length\\\":\\\"199\\\",\\\"Connection\\\":\\\"close\\\",\\\"Content-Type\\\":\\\"text/html; charset=iso-8859-1\\\"},\\\"body\\\":\\\"\\u003c!DOCTYPE HTML PUBLIC \\\\\\\"-//IETF//DTD HTML 2.0//EN\\\\\\\"\\u003e\\\\n\\u003chtml\\u003e\\u003chead\\u003e\\\\n\\u003ctitle\\u003e403 Forbidden\\u003c/title\\u003e\\\\n\\u003c/head\\u003e\\u003cbody\\u003e\\\\n\\u003ch1\\u003eForbidden\\u003c/h1\\u003e\\\\n\\u003cp\\u003eYou don't have permission to access this resource.\\u003c/p\\u003e\\\\n\\u003c/body\\u003e\\u003c/html\\u003e\\\\n\\\"},\\\"audit_data\\\":{\\\"messages\\\":[\\\"Warning. detected SQLi using libinjection with fingerprint '1\\u0026sos' [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\\\\\"] [line \\\\\\\"65\\\\\\\"] [id \\\\\\\"942100\\\\\\\"] [msg \\\\\\\"SQL Injection Attack Detected via libinjection\\\\\\\"] [data \\\\\\\"Matched Data: 1\\u0026sos found within ARGS:id: 3 or 'a'='a'\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-sqli\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/66\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"]\\\",\\\"Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"93\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-generic\\\\\\\"]\\\",\\\"Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"91\\\\\\\"] [id \\\\\\\"980130\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"event-correlation\\\\\\\"]\\\"],\\\"error_messages\\\":[\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 89.160.20.112] ModSecurity: Warning. detected SQLi using libinjection with fingerprint '1\\u0026sos' [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\\\\\"] [line \\\\\\\"65\\\\\\\"] [id \\\\\\\"942100\\\\\\\"] [msg \\\\\\\"SQL Injection Attack Detected via libinjection\\\\\\\"] [data \\\\\\\"Matched Data: 1\\u0026sos found within ARGS:id: 3 or 'a'='a'\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-sqli\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/66\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"] [hostname \\\\\\\"test.website.com\\\\\\\"] [uri \\\\\\\"/\\\\\\\"] [unique_id \\\\\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 89.160.20.112] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"93\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-generic\\\\\\\"] [hostname \\\\\\\"test.website.com\\\\\\\"] [uri \\\\\\\"/\\\\\\\"] [unique_id \\\\\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 89.160.20.112] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"91\\\\\\\"] [id \\\\\\\"980130\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"event-correlation\\\\\\\"] [hostname \\\\\\\"test.website.com\\\\\\\"] [uri \\\\\\\"/\\\\\\\"] [unique_id \\\\\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\\\\\"]\\\"],\\\"action\\\":{\\\"intercepted\\\":true,\\\"phase\\\":2,\\\"message\\\":\\\"Operator GE matched 5 at TX:anomaly_score.\\\"},\\\"stopwatch\\\":{\\\"p1\\\":661,\\\"p2\\\":2717,\\\"p3\\\":0,\\\"p4\\\":0,\\\"p5\\\":352,\\\"sr\\\":153,\\\"sw\\\":0,\\\"l\\\":0,\\\"gc\\\":0},\\\"response_body_dechunked\\\":true,\\\"producer\\\":[\\\"ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/)\\\",\\\"OWASP_CRS/3.3.2\\\"],\\\"server\\\":\\\"Apache\\\",\\\"engine_mode\\\":\\\"ENABLED\\\"}}\",\"tags\":[\"modsec-audit\"]}, Private:file.State{Id:\"native::2615-152\", PrevId:\"\", Finished:false, Fileinfo:(*os.fileStat)(0x40014412c0), Source:\"/tmp/service_logs/modsec-audit.log\", Offset:33434, Timestamp:time.Date(2023, time.June, 14, 17, 42, 29, 979257470, time.Local), TTL:-1, Type:\"log\", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0xa37, Device:0x98}, IdentifierName:\"native\"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:450] failed to parse field [modsec.audit.details] of type [flattened] in document with id 'iCwAu4gBS6EiBRyafC4L'. Preview of field's value: 'Warning. detected SQLi using libinjection with fingerprint '1&sos' [file \\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\"] [line \\\"65\\\"] [id \\\"942100\\\"] [msg \\\"SQL Injection Attack Detected via libinjection\\\"] [data \\\"Matched Data: 1&sos found within ARGS:id: 3 or 'a'='a'\\\"] [severity \\\"CRITICAL\\\"] [ver \\\"OWASP_CRS/3.3.2\\\"] [tag \\\"application-multi\\\"] [tag \\\"language-multi\\\"] [tag \\\"platform-multi\\\"] [tag \\\"attack-sqli\\\"] [tag \\\"paranoia-level/1\\\"] [tag \\\"OWASP_CRS\\\"] [tag \\\"capec/1000/152/248/66\\\"] [tag \\\"PCI/6.5.2\\\"]'\",\"caused_by\":{\"type\":\"parsing_exception\",\"reason\":\"Failed to parse object: expecting token of type [START_OBJECT] but found [VALUE_STRING]\",\"line\":1,\"col\":450}}, dropping event!" [2] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 14, 17, 43, 15, 220926255, time.Local), Meta:{\"input_id\":\"logfile-modsec-ebc41ab0-0ada-11ee-a5df-f33f6f20f37d\",\"raw_index\":\"logs-modsecurity.auditlog-ep\",\"stream_id\":\"logfile-modsecurity.auditlog-ebc41ab0-0ada-11ee-a5df-f33f6f20f37d\"}, Fields:{\"_conf\":{\"tz_offset\":\"+0500\"},\"agent\":{\"ephemeral_id\":\"7bf6a119-9502-4cb9-a16a-e2664693beef\",\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"modsecurity.auditlog\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"modsecurity.auditlog\",\"timezone\":\"+00:00\"},\"host\":{\"architecture\":\"aarch64\",\"containerized\":false,\"hostname\":\"docker-fleet-agent\",\"id\":\"d08b346fbb8f49f5a2bb1a477f8ceb54\",\"ip\":[\"172.21.0.7\"],\"mac\":[\"02-42-AC-15-00-07\"],\"name\":\"docker-fleet-agent\",\"os\":{\"codename\":\"focal\",\"family\":\"debian\",\"kernel\":\"5.15.49-linuxkit\",\"name\":\"Ubuntu\",\"platform\":\"ubuntu\",\"type\":\"linux\",\"version\":\"20.04.6 LTS (Focal Fossa)\"}},\"input\":{\"type\":\"log\"},\"log\":{\"file\":{\"path\":\"/tmp/service_logs/modsec-audit-tz.log\"},\"offset\":22937},\"message\":\"{\\\"transaction\\\":{\\\"time\\\":\\\"23/May/2022:06:28:50 +0000\\\",\\\"transaction_id\\\":\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\",\\\"remote_address\\\":\\\"127.0.0.1\\\",\\\"remote_port\\\":43790,\\\"local_address\\\":\\\"127.0.0.1\\\",\\\"local_port\\\":80},\\\"request\\\":{\\\"request_line\\\":\\\"GET /index.php?exec=/bin/bash HTTP/1.1\\\",\\\"headers\\\":{\\\"Host\\\":\\\"localhost\\\",\\\"User-Agent\\\":\\\"curl/7.58.0\\\",\\\"Accept\\\":\\\"*/*\\\"}},\\\"response\\\":{\\\"protocol\\\":\\\"HTTP/1.1\\\",\\\"status\\\":403,\\\"headers\\\":{\\\"Content-Length\\\":\\\"274\\\",\\\"Content-Type\\\":\\\"text/html; charset=iso-8859-1\\\"},\\\"body\\\":\\\"\\u003c!DOCTYPE HTML PUBLIC \\\\\\\"-//IETF//DTD HTML 2.0//EN\\\\\\\"\\u003e\\\\n\\u003chtml\\u003e\\u003chead\\u003e\\\\n\\u003ctitle\\u003e403 Forbidden\\u003c/title\\u003e\\\\n\\u003c/head\\u003e\\u003cbody\\u003e\\\\n\\u003ch1\\u003eForbidden\\u003c/h1\\u003e\\\\n\\u003cp\\u003eYou don't have permission to access this resource.\\u003c/p\\u003e\\\\n\\u003chr\\u003e\\\\n\\u003caddress\\u003eApache/2.4.29 (Ubuntu) Server at localhost Port 80\\u003c/address\\u003e\\\\n\\u003c/body\\u003e\\u003c/html\\u003e\\\\n\\\"},\\\"audit_data\\\":{\\\"messages\\\":[\\\"Warning. Matched phrase \\\\\\\"bin/bash\\\\\\\" at ARGS:exec. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\\\\\\\"] [line \\\\\\\"485\\\\\\\"] [id \\\\\\\"932160\\\\\\\"] [msg \\\\\\\"Remote Command Execution: Unix Shell Code Found\\\\\\\"] [data \\\\\\\"Matched Data: bin/bash found within ARGS:exec: /bin/bash\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-shell\\\\\\\"] [tag \\\\\\\"platform-unix\\\\\\\"] [tag \\\\\\\"attack-rce\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/88\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"]\\\",\\\"Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"184\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"anomaly-evaluation\\\\\\\"]\\\",\\\"Warning. Unconditional match in SecAction. [file \\\\\\\"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"96\\\\\\\"] [id \\\\\\\"980170\\\\\\\"] [msg \\\\\\\"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"reporting\\\\\\\"]\\\"],\\\"error_messages\\\":[\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. Matched phrase \\\\\\\"bin/bash\\\\\\\" at ARGS:exec. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\\\\\\\"] [line \\\\\\\"485\\\\\\\"] [id \\\\\\\"932160\\\\\\\"] [msg \\\\\\\"Remote Command Execution: Unix Shell Code Found\\\\\\\"] [data \\\\\\\"Matched Data: bin/bash found within ARGS:exec: /bin/bash\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-shell\\\\\\\"] [tag \\\\\\\"platform-unix\\\\\\\"] [tag \\\\\\\"attack-rce\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/88\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"] [hostname \\\\\\\"localhost\\\\\\\"] [uri \\\\\\\"/index.php\\\\\\\"] [unique_id \\\\\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \\\\\\\"/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"184\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"anomaly-evaluation\\\\\\\"] [hostname \\\\\\\"localhost\\\\\\\"] [uri \\\\\\\"/index.php\\\\\\\"] [unique_id \\\\\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 127.0.0.1] ModSecurity: Warning. Unconditional match in SecAction. [file \\\\\\\"/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"96\\\\\\\"] [id \\\\\\\"980170\\\\\\\"] [msg \\\\\\\"Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=5-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0)\\\\\\\"] [ver \\\\\\\"OWASP_CRS/4.0.0-rc1\\\\\\\"] [tag \\\\\\\"reporting\\\\\\\"] [hostname \\\\\\\"localhost\\\\\\\"] [uri \\\\\\\"/index.php\\\\\\\"] [unique_id \\\\\\\"Yospoq1AV2oonr8Z9ZoDTgAAAEU\\\\\\\"]\\\"],\\\"action\\\":{\\\"intercepted\\\":true,\\\"phase\\\":2,\\\"message\\\":\\\"Operator GE matched 5 at TX:blocking_inbound_anomaly_score.\\\"},\\\"stopwatch\\\":{\\\"p1\\\":719,\\\"p2\\\":775,\\\"p3\\\":0,\\\"p4\\\":0,\\\"p5\\\":3321,\\\"sr\\\":29,\\\"sw\\\":1,\\\"l\\\":0,\\\"gc\\\":0},\\\"response_body_dechunked\\\":true,\\\"producer\\\":[\\\"ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/)\\\",\\\"OWASP_CRS/4.0.0-rc1\\\"],\\\"server\\\":\\\"Apache/2.4.29 (Ubuntu)\\\",\\\"engine_mode\\\":\\\"ENABLED\\\"}}\",\"tags\":[\"modsec-audit\"]}, Private:file.State{Id:\"native::2616-152\", PrevId:\"\", Finished:false, Fileinfo:(*os.fileStat)(0x4000896180), Source:\"/tmp/service_logs/modsec-audit-tz.log\", Offset:27248, Timestamp:time.Date(2023, time.June, 14, 17, 43, 15, 218322088, time.Local), TTL:-1, Type:\"log\", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0xa38, Device:0x98}, IdentifierName:\"native\"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:450] failed to parse field [modsec.audit.details] of type [flattened] in document with id 'ciwBu4gBS6EiBRyaLDEP'. Preview of field's value: 'Warning. Matched phrase \\\"bin/bash\\\" at ARGS:exec. [file \\\"/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\\\"] [line \\\"485\\\"] [id \\\"932160\\\"] [msg \\\"Remote Command Execution: Unix Shell Code Found\\\"] [data \\\"Matched Data: bin/bash found within ARGS:exec: /bin/bash\\\"] [severity \\\"CRITICAL\\\"] [ver \\\"OWASP_CRS/4.0.0-rc1\\\"] [tag \\\"application-multi\\\"] [tag \\\"language-shell\\\"] [tag \\\"platform-unix\\\"] [tag \\\"attack-rce\\\"] [tag \\\"paranoia-level/1\\\"] [tag \\\"OWASP_CRS\\\"] [tag \\\"capec/1000/152/248/88\\\"] [tag \\\"PCI/6.5.2\\\"]'\",\"caused_by\":{\"type\":\"parsing_exception\",\"reason\":\"Failed to parse object: expecting token of type [START_OBJECT] but found [VALUE_STRING]\",\"line\":1,\"col\":450}}, dropping event!" [3] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 14, 17, 43, 15, 221038547, time.Local), Meta:{\"input_id\":\"logfile-modsec-ebc41ab0-0ada-11ee-a5df-f33f6f20f37d\",\"raw_index\":\"logs-modsecurity.auditlog-ep\",\"stream_id\":\"logfile-modsecurity.auditlog-ebc41ab0-0ada-11ee-a5df-f33f6f20f37d\"}, Fields:{\"_conf\":{\"tz_offset\":\"+0500\"},\"agent\":{\"ephemeral_id\":\"7bf6a119-9502-4cb9-a16a-e2664693beef\",\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"modsecurity.auditlog\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"19858c28-9874-4e35-bf7c-51607273cc02\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"modsecurity.auditlog\",\"timezone\":\"+00:00\"},\"host\":{\"architecture\":\"aarch64\",\"containerized\":false,\"hostname\":\"docker-fleet-agent\",\"id\":\"d08b346fbb8f49f5a2bb1a477f8ceb54\",\"ip\":[\"172.21.0.7\"],\"mac\":[\"02-42-AC-15-00-07\"],\"name\":\"docker-fleet-agent\",\"os\":{\"codename\":\"focal\",\"family\":\"debian\",\"kernel\":\"5.15.49-linuxkit\",\"name\":\"Ubuntu\",\"platform\":\"ubuntu\",\"type\":\"linux\",\"version\":\"20.04.6 LTS (Focal Fossa)\"}},\"input\":{\"type\":\"log\"},\"log\":{\"file\":{\"path\":\"/tmp/service_logs/modsec-audit-tz.log\"},\"offset\":28461},\"message\":\"{\\\"transaction\\\":{\\\"time\\\":\\\"25/Mar/2022:11:15:35 +0100\\\",\\\"transaction_id\\\":\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\",\\\"remote_address\\\":\\\"89.160.20.112\\\",\\\"remote_port\\\":47461,\\\"local_address\\\":\\\"172.21.50.216\\\",\\\"local_port\\\":443},\\\"request\\\":{\\\"request_line\\\":\\\"GET /?id=3%20or%20%27a%27=%27a%27 HTTP/2.0\\\",\\\"headers\\\":{\\\"Upgrade-Insecure-Requests\\\":\\\"1\\\",\\\"User-Agent\\\":\\\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.15.2 Chrome/87.0.4280.144 Safari/537.36\\\",\\\"Accept\\\":\\\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\",\\\"Dnt\\\":\\\"1\\\",\\\"Accept-Language\\\":\\\"en-US,en;q=0.9\\\",\\\"Sec-Fetch-Site\\\":\\\"none\\\",\\\"Sec-Fetch-Mode\\\":\\\"navigate\\\",\\\"Sec-Fetch-User\\\":\\\"?1\\\",\\\"Sec-Fetch-Dest\\\":\\\"document\\\",\\\"Accept-Encoding\\\":\\\"gzip, deflate, br\\\",\\\"Host\\\":\\\"test.website.com\\\"}},\\\"response\\\":{\\\"protocol\\\":\\\"HTTP/1.1\\\",\\\"status\\\":403,\\\"headers\\\":{\\\"Strict-Transport-Security\\\":\\\"max-age=31536000; includeSubDomains\\\",\\\"Content-Length\\\":\\\"199\\\",\\\"Connection\\\":\\\"close\\\",\\\"Content-Type\\\":\\\"text/html; charset=iso-8859-1\\\"},\\\"body\\\":\\\"\\u003c!DOCTYPE HTML PUBLIC \\\\\\\"-//IETF//DTD HTML 2.0//EN\\\\\\\"\\u003e\\\\n\\u003chtml\\u003e\\u003chead\\u003e\\\\n\\u003ctitle\\u003e403 Forbidden\\u003c/title\\u003e\\\\n\\u003c/head\\u003e\\u003cbody\\u003e\\\\n\\u003ch1\\u003eForbidden\\u003c/h1\\u003e\\\\n\\u003cp\\u003eYou don't have permission to access this resource.\\u003c/p\\u003e\\\\n\\u003c/body\\u003e\\u003c/html\\u003e\\\\n\\\"},\\\"audit_data\\\":{\\\"messages\\\":[\\\"Warning. detected SQLi using libinjection with fingerprint '1\\u0026sos' [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\\\\\"] [line \\\\\\\"65\\\\\\\"] [id \\\\\\\"942100\\\\\\\"] [msg \\\\\\\"SQL Injection Attack Detected via libinjection\\\\\\\"] [data \\\\\\\"Matched Data: 1\\u0026sos found within ARGS:id: 3 or 'a'='a'\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-sqli\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/66\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"]\\\",\\\"Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"93\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-generic\\\\\\\"]\\\",\\\"Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"91\\\\\\\"] [id \\\\\\\"980130\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"event-correlation\\\\\\\"]\\\"],\\\"error_messages\\\":[\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 89.160.20.112] ModSecurity: Warning. detected SQLi using libinjection with fingerprint '1\\u0026sos' [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\\\\\"] [line \\\\\\\"65\\\\\\\"] [id \\\\\\\"942100\\\\\\\"] [msg \\\\\\\"SQL Injection Attack Detected via libinjection\\\\\\\"] [data \\\\\\\"Matched Data: 1\\u0026sos found within ARGS:id: 3 or 'a'='a'\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-sqli\\\\\\\"] [tag \\\\\\\"paranoia-level/1\\\\\\\"] [tag \\\\\\\"OWASP_CRS\\\\\\\"] [tag \\\\\\\"capec/1000/152/248/66\\\\\\\"] [tag \\\\\\\"PCI/6.5.2\\\\\\\"] [hostname \\\\\\\"test.website.com\\\\\\\"] [uri \\\\\\\"/\\\\\\\"] [unique_id \\\\\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 89.160.20.112] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\\\\\"] [line \\\\\\\"93\\\\\\\"] [id \\\\\\\"949110\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\\\\\"] [severity \\\\\\\"CRITICAL\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"application-multi\\\\\\\"] [tag \\\\\\\"language-multi\\\\\\\"] [tag \\\\\\\"platform-multi\\\\\\\"] [tag \\\\\\\"attack-generic\\\\\\\"] [hostname \\\\\\\"test.website.com\\\\\\\"] [uri \\\\\\\"/\\\\\\\"] [unique_id \\\\\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\\\\\"]\\\",\\\"[file \\\\\\\"apache2_util.c\\\\\\\"] [line 273] [level 3] [client 89.160.20.112] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \\\\\\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/RESPONSE-980-CORRELATION.conf\\\\\\\"] [line \\\\\\\"91\\\\\\\"] [id \\\\\\\"980130\\\\\\\"] [msg \\\\\\\"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\\\\\\\"] [ver \\\\\\\"OWASP_CRS/3.3.2\\\\\\\"] [tag \\\\\\\"event-correlation\\\\\\\"] [hostname \\\\\\\"test.website.com\\\\\\\"] [uri \\\\\\\"/\\\\\\\"] [unique_id \\\\\\\"Yj2WRzj5DcQDZ5V47KL4JQAAAAE\\\\\\\"]\\\"],\\\"action\\\":{\\\"intercepted\\\":true,\\\"phase\\\":2,\\\"message\\\":\\\"Operator GE matched 5 at TX:anomaly_score.\\\"},\\\"stopwatch\\\":{\\\"p1\\\":661,\\\"p2\\\":2717,\\\"p3\\\":0,\\\"p4\\\":0,\\\"p5\\\":352,\\\"sr\\\":153,\\\"sw\\\":0,\\\"l\\\":0,\\\"gc\\\":0},\\\"response_body_dechunked\\\":true,\\\"producer\\\":[\\\"ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/)\\\",\\\"OWASP_CRS/3.3.2\\\"],\\\"server\\\":\\\"Apache\\\",\\\"engine_mode\\\":\\\"ENABLED\\\"}}\",\"tags\":[\"modsec-audit\"]}, Private:file.State{Id:\"native::2616-152\", PrevId:\"\", Finished:false, Fileinfo:(*os.fileStat)(0x4000896180), Source:\"/tmp/service_logs/modsec-audit-tz.log\", Offset:33434, Timestamp:time.Date(2023, time.June, 14, 17, 43, 15, 218322088, time.Local), TTL:-1, Type:\"log\", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0xa38, Device:0x98}, IdentifierName:\"native\"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:450] failed to parse field [modsec.audit.details] of type [flattened] in document with id 'dCwBu4gBS6EiBRyaLDEP'. Preview of field's value: 'Warning. detected SQLi using libinjection with fingerprint '1&sos' [file \\\"/etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\\\"] [line \\\"65\\\"] [id \\\"942100\\\"] [msg \\\"SQL Injection Attack Detected via libinjection\\\"] [data \\\"Matched Data: 1&sos found within ARGS:id: 3 or 'a'='a'\\\"] [severity \\\"CRITICAL\\\"] [ver \\\"OWASP_CRS/3.3.2\\\"] [tag \\\"application-multi\\\"] [tag \\\"language-multi\\\"] [tag \\\"platform-multi\\\"] [tag \\\"attack-sqli\\\"] [tag \\\"paranoia-level/1\\\"] [tag \\\"OWASP_CRS\\\"] [tag \\\"capec/1000/152/248/66\\\"] [tag \\\"PCI/6.5.2\\\"]'\",\"caused_by\":{\"type\":\"parsing_exception\",\"reason\":\"Failed to parse object: expecting token of type [START_OBJECT] but found [VALUE_STRING]\",\"line\":1,\"col\":450}}, dropping event!" ```