All Apps and Add-ons

Handling multiple Message entries

jairjr
Path Finder

My modsec_audit.log has multiple "Message" lines, so the tracking tab never shows me the blocked actions, as it only searches for it in the first Message entry. Any idea if I need to change my modsecurity config to make it work?

Sample:

--07b0a65c-H--
Message: [file "/etc/httpd/owasp-modsecurity-crs-3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n)on foun
d within ARGS:Password: xxxxxxx"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/W
EB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Warning. detected SQLi using libinjection with fingerprint 'n)on'
Message: [file "/etc/httpd/owasp-modsecurity-crs-3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-mul
ti"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score.
Message: [file "/etc/httpd/owasp-modsecurity-crs-3.0/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=
0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"] Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1492672332302715 14987 (- - -)
Stopwatch2: 1492672332302715 14987; combined=13508, p1=560, p2=12780, p3=0, p4=0, p5=167, sr=70, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "ENABLED"

0 Karma

support0
Path Finder

Hi jairjr,

This tracking dashboard is based on a Splunk search whose purpose is to handle ModSecurity audit logs even in the case of events having multiple messages.

In your log sample, the event message only comes at the end:

Message: [file "..."] [line ".."] Warning. detected SQLi using libinjection with fingerprint 'n)on'

Usually - log sources I have used, log references here and there - this message appears at the very begining:

Message: Warning. Pattern match "^0$|^$" at RESPONSE_HEADERS. [file "..."] [line "..."] [severity "..."] ....

Thing is field extraction does look for the message at the begining :

Message: <Message extraction>. [rest of the event...

The extration is not only used on the Tracking dashboard but also to determine the action that has been taken.

For instance if you got a event like:

Message: Access Denied.... [...]...

The action field would take the "blocked" value whereas it would take "allowed" in other cases.

This action field is used in the Overview dashboard in the Action Distribution panel.

So I suggest trying to understand first why your events are like "Message: [stuff ...] Message" instead of "Message: Message [stuff ...]".

Are all your events this way?

0 Karma

jairjr
Path Finder

Yeah looks like that is the problem. Can we support both ways? Looks like this Anomaly Scoring Detection Mode is the default one in new installations now. Thank you.

0 Karma

support0
Path Finder

Hello jairjr,

I somehow did not get notified of your comment so I am sorry for the very late answer, I'll check on supporting it both ways and get back to you !

0 Karma

support0
Path Finder

According to the link you have posted, even using Anomaly Scoring Detection Mode, ModSecurity events seem to be like "Message: Message [stuff ...]" :

--0a4c3b0e-H--
Message: Pattern match "\bselect\b.{0,40}\buser\b" at ARGS:foo. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "67"] [id "959514"] [rev "2.0.9"] [msg "Blind SQL Injection Attack"] [data "select * from user"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Pattern match "\bunion\b.{1,100}?\bselect\b" at ARGS:foo. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "257"] [id "959047"] [rev "2.0.9"] [msg "SQL Injection Attack"] [data "union select"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:0. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10, SQLi=10, XSS=): Last Matched Message: SQL Injection Attack"] [data "Last Matched Data: union select"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/modsec_current/base_rules/modsecurity_crs_60_correlation.conf"] [line "36"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10, SQLi=10, XSS=): SQL Injection Attack"]
Action: Intercepted (phase 2)
Stopwatch: 1290012416382280 122228 (8369 120370 -)
Producer: ModSecurity for Apache/2.5.13dev2 (http://www.modsecurity.org/); core ruleset/2.0.9.
Server: Apache/2.2.12 (Unix) mod_ssl/2.2.12 OpenSSL/0.9.8l DAV/2
--0a4c3b0e-Z--

Are you sure there is no custom setting in your configuration set on the way alerts are being logged/written?

0 Karma

jairjr
Path Finder

I think it's because I'm using the Anomaly Scoring Detection Mode instead of the Traditional Mode, see here:

http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detect...

That's what it looks like, I'll make some tests and report back.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!