Closed ysazman closed 4 years ago
Please provide request sample which causes such issue.
A sample request is:
curl -i 'http://a.juicebox12345.com:8080?id=81 OR 1=1'
It should trigger syslog messages that looks like the snippet below (notice the use of " to escape "):
policy_name="/Common/policy1",protocol="HTTP",request="GET /?id=81 OR 1=1 HTTP/1.1\r\nUser-Agent: curl/7.29.0\r\nHost: a.juicebox12345.com:8080\r\nAccept: /\r\n",request_status="blocked",response_code="0",severity="Critical",sig_cves="N/A",sig_ids="200002147,200002835,200002476",sig_names="SQL-INJ expressions like ""or 1=1"" (3),SQL-INJ expressions like ""OR 1=1"" (7) (Parameter),SQL-INJ expressions like ""or 1=1"" (6) (Parameter)",sig_set_names="{Generic Detection Signatures;SQL Injection Signatures},{Generic Detection Signatures;SQL Injection Signatures},{Generic Detection Signatures;SQL Injection Signatures}"
On ELK, the sig_names field are broken into 3 fields as a result:
sig_names "SQL-INJ expressions like ""or 1=1"" (3)
?SQL-INJ expressions like ""OR 1 1"" (7) (Parameter)
?SQL-INJ expressions like ""or 1 1"" (6) (Parameter)"
What kind of log message format do you use? This setup currently supports only "splunk" format.
App-Protect default log format which is CSV i believe. So just to clarify, ELK only currently supports splunk format?
Thanks.
That is correct. Currently logstash which receives logs from App-Protect and feeds them to Elasticsearch expects them in "splunk" format.
I was using the default format withthe following configuration in log-default.json:
{
"filter": {
"request_type": "all"
},
"content": {
"format": "default",
"max_request_size": "any",
"max_message_size": "5k"
}
}
I added the following lines into /logstash/conf.d/30-waf-logs-full-logstash.conf file,
input {
syslog {
port => 5144
}
}
filter {
mutate {
gsub => ["message","\"\"","\""]
}
kv {
field_split => ","
}
It looks to me that replacing "" with \" fixed the " escape character issue, sig_names can be parsed and showed in Kabinan correctly. But I am not sure if this change would break something esle.
@464d41 the logstash config assumes a CSV output, not a Splunk format. See that the default log format for NAP is CSV.
NAP 1.3 (the latest release as of this date) may have addressed this issue when the quoting was changed. Please try to reproduce this with an attack like this: curl "yourhostname/v=|%20uname%20-a%20&%20users" --verbose
curl "yourhostname/v=|%20uname%20-a%20&%20users" --verbose
Seem to work. Don't see any artifacts of parsing.
PR #6 appears to have addressed this issue. Closing.
App-Protect Beta, ELK not recognizing double-quotes escape