Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit props.conf to line break modsecurity events?

Shark2112
Communicator
‎12-22-2016 03:14 AM

Hey guys. I want modsecurity events in Splunk, but can't make right config.

I have events like this:

--d021db15-A--
[22/Dec/2016:12:46:22 +0300] WFug7n8AAAEAAAgUFKYAAABM 192.168.13.2 58507 192.168.13.141 80
--d021db15-B--
GET /?param=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 192.168.13.141
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
If-None-Match: "13-54429b1b62789"
If-Modified-Since: Wed, 21 Dec 2016 11:45:49 GMT

--d021db15-F--
HTTP/1.1 304 Not Modified
Last-Modified: Wed, 21 Dec 2016 11:45:49 GMT
ETag: "13-54429b1b62789"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

--d021db15-E--

--d021db15-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header i

r: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.23 (Unix) PHP/5.6.29
Engine-Mode: "DETECTION_ONLY"

--d021db15-Z--

so it's start from --\w+-A-- and end with --\w+-Z--

my config:
[modsec_audit]
CHARSET = UTF-8
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LINE_BREAKER = --\w+-A--
disabled = false
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = --\w+-Z--
TRUNCATE = 0

or BREAK_ONLY_BEFORE_DATE = true instead MUST_BREAK_AFTER.

but it's all wrong and i see events like "Stopwatch: 1482404729925426 2897 (- - -)" for example, or starting from .

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Shark2112
Communicator
‎12-26-2016 07:50 AM

trouble was in MAX_EVENTS, that's why i have truncated events

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Shark2112
Communicator
‎12-26-2016 07:50 AM

trouble was in MAX_EVENTS, that's why i have truncated events

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-23-2016 08:12 AM

Something like this would work fine

[modsec_audit]
category = Custom
LINE_BREAKER = ([\r\n]+)(?=--\w+-A-)
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
MAX_TIMESTAMP_LOOKAHEAD = 26
Reply
Solved! Jump to solution

niketn
Legend
‎12-22-2016 06:17 AM

I copied your data twice to a dummy log file and modified time to mark separate events. I was able to get two events just by adding BREAK_ONLY_BEFORE condition on top of SHOULD_LINEMERGE=true

[modsec_audit]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=--d021db15-A--

Please let me know if this is what you expect.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
1 KB
Reply
Solved! Jump to solution

Shark2112
Communicator
‎12-26-2016 01:24 AM

I made separated index and add file with same sourcetype and all work fine, it's so strange. I will check the difference and write after.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...