Getting Data In

How to edit props.conf to line break modsecurity events?

Shark2112
Communicator

Hey guys. I want modsecurity events in Splunk, but can't make right config.

I have events like this:

--d021db15-A--
[22/Dec/2016:12:46:22 +0300] WFug7n8AAAEAAAgUFKYAAABM 192.168.13.2 58507 192.168.13.141 80
--d021db15-B--
GET /?param=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 192.168.13.141
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
If-None-Match: "13-54429b1b62789"
If-Modified-Since: Wed, 21 Dec 2016 11:45:49 GMT

--d021db15-F--
HTTP/1.1 304 Not Modified
Last-Modified: Wed, 21 Dec 2016 11:45:49 GMT
ETag: "13-54429b1b62789"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

--d021db15-E--

--d021db15-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header i

r: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.23 (Unix) PHP/5.6.29
Engine-Mode: "DETECTION_ONLY"

--d021db15-Z--

so it's start from --\w+-A-- and end with --\w+-Z--

my config:
[modsec_audit]
CHARSET = UTF-8
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LINE_BREAKER = --\w+-A--
disabled = false
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = --\w+-Z--
TRUNCATE = 0

or BREAK_ONLY_BEFORE_DATE = true instead MUST_BREAK_AFTER.

but it's all wrong and i see events like "Stopwatch: 1482404729925426 2897 (- - -)" for example, or starting from .

0 Karma
1 Solution

Shark2112
Communicator

trouble was in MAX_EVENTS, that's why i have truncated events

View solution in original post

0 Karma

Shark2112
Communicator

trouble was in MAX_EVENTS, that's why i have truncated events

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Something like this would work fine

[modsec_audit]
category = Custom
LINE_BREAKER = ([\r\n]+)(?=--\w+-A-)
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
MAX_TIMESTAMP_LOOKAHEAD = 26

niketn
Legend

I copied your data twice to a dummy log file and modified time to mark separate events. I was able to get two events just by adding BREAK_ONLY_BEFORE condition on top of SHOULD_LINEMERGE=true

[modsec_audit]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=--d021db15-A--

Please let me know if this is what you expect.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Shark2112
Communicator

I made separated index and add file with same sourcetype and all work fine, it's so strange. I will check the difference and write after.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...