Open enotspe opened 4 years ago
This log gets parsed OK, and also has whitespaces inside some values
<189>date=2022-07-31 time=20:22:55 devname="FGT-PLANTA01" devid="FG6H1E5819900604" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="perimetral" eventtime=1659316975524190081 tz="-0500" policyid=206 sessionid=1706043846 srcip=10.172.47.159 srcport=52369 srcintf="P6_V474" srcintfrole="lan" dstip=209.53.113.225 dstport=80 dstintf="P2_320" dstintfrole="wan" proto=6 service="HTTP" hostname="si.namequery.com" profile="wf_mcp_acceso_planta" action="passthrough" reqtype="direct" url="http://si.namequery.com/" sentbyte=82482 rcvdbyte=38917 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology" rawdata="Method=POST|User-Agent=Mozilla/5.0 (compatible; MSIE 8.0;)" org="chinalco"
Another error on kv
[2022-08-02T16:56:19,723][WARN ][logstash.filters.kv ][syslog-fortinet-kv][6616a98f994dfc3cfa890fdb9a33fcd8f9ffe250bb0883f27647cc5bdd285438] Timeout reached in KV filter with value (entry too large to show; showing first 255 characters) `\"date=2022-08-02 time=16:55:41 devname=\"FGT-PLANTA01\" devid=\"FG6H1E5819900604\" logid=\"0317013312\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_allow\" level=\"notice\" vd=\"perimetral\" eventtime=1659477341611493234 tz=\"-0500\" policyid=214 sessionid=1874365156\"`[...]`
I think I found the original log (taken from faz)
http_url
seems to be the issue
adom_oid=3 itime=1659477340 loguid=7127400903753074807 epid=37233 euid=3 data_parsername="FortiGate parser" data_sourceid="FG6H1E5819900604" data_sourcename="FGT-PLANTA01 perimetral" data_sourcetype="FortiGate" data_timestamp="1659477341" app_service="HTTPS" dst_domain="googleads.g.doubleclick.net" dst_intf="P2_320(wan)" dst_ip="::ffff:64.233.186.154" dst_port=443 event_action="passthrough" event_id=317013312 event_message="URL belongs to an allowed category in policy" event_severity="notice" event_subtype="webfilter" event_type="utm" host_ip="::ffff:10.172.65.200" host_name="10.172.65.200" http_referer="https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-6909105969133411&output=html&h=280&adk=100604191&adf=1810213379&pi=" http_url="https://googleads.g.doubleclick.net/pagead/adview?ai=CG6wCXJ3pYpzpJpKHhAXzgZnwB-KahOVq74XIrpMPiu6S8rAJEAEg3fy8jgFg3QSgAYmTsvIDyAEJqAMByAPLBKoE9QFP0I6Zg-eJZ3YOQS_-8RbyZ4qUt2lUWb0wWmea9XAd6p1rM7MUc5pCJjjNwof8_zpXJo3kbpsiByC3E7eA8okci5vnPs_Ks6J6gKq5NiW7PeyX3PswATOT_kSNMCykzQK6_6MyKZQ94FoO-nPZ-b0sy3FHUKDCIV2Imp0dcrvKABPbCG-gp4klpPN1LLPG4AM9RrHtzOqym3xpEdG95U5Xv6B6fYlN10KSDMq46dhSNtwdr9_xKXZ5v_0naVQdsJxDxU0UzPMg-v5SVjJpHaTYw8KTKT8bIS8Hm4CYwoD7TQdW5paBJZ65jii6INuWvjK7Q25oYsAEzLWOspoCkgUECAQYAZIFBAgFGASQBgGgBi6AB" net_proto="6" net_recvbytes=108163 net_sentbytes=14342 net_sessionid="1874365156" src_intf="P6_V310(lan)" src_ip="::ffff:10.172.65.200" src_port=60272
Just detected some parsing issue with this log
<185>date=2020-03-28 time=21:37:11 devname="MASTER_CALLEUNO" devid="FG5H1E5818909999" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1585449431 severity="high" srcip=51.81.126.39 srccountry="United States" dstip=192.168.253.169 srcintf="port1" srcintfrole="wan" dstintf="port2" dstintfrole="lan" sessionid=2060097095 action="dropped" proto=6 service="HTTP" policyid=13 attack="HTTP.URI.SQL.Injection" srcport=58637 dstport=80 hostname="somehostname.com" url="/Miercoles/Portal/MME/descargar.aspx?archivo=A1A44AFA-694A-4264-8F8B-14BA4595D993.PDF AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')" direction="outgoing" attackid=15621 profile="all_default" ref="http://www.fortinet.com/ids/VID15621" incidentserialno=1846760869 msg="web_misc: HTTP.URI.SQL.Injection," crscore=30 crlevel="high"
The issue is on
url="/Miercoles/Portal/MME/descargar.aspx?archivo=A1A44AFA-694A-4264-8F8B-14BA4595D993.PDF AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')"
it gets parsed like
fortios.url= "/Miercoles/Portal/MME/descargar.aspx?archivo=A1A44AFA-694A-4264-8F8B-14BA4595D993.PDF
I am missing half of the value. I will do some troubleshooting