Solved: Re: How to edit props.conf to line break modsecuri...

Shark2112 · ‎12-22-2016

Hey guys. I want modsecurity events in Splunk, but can't make right config.

I have events like this:

--d021db15-A--
[22/Dec/2016:12:46:22 +0300] WFug7n8AAAEAAAgUFKYAAABM 192.168.13.2 58507 192.168.13.141 80
--d021db15-B--
GET /?param=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 192.168.13.141
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
If-None-Match: "13-54429b1b62789"
If-Modified-Since: Wed, 21 Dec 2016 11:45:49 GMT

--d021db15-F--
HTTP/1.1 304 Not Modified
Last-Modified: Wed, 21 Dec 2016 11:45:49 GMT
ETag: "13-54429b1b62789"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

--d021db15-E--

--d021db15-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header i

r: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.23 (Unix) PHP/5.6.29
Engine-Mode: "DETECTION_ONLY"

--d021db15-Z--

so it's start from --\w+-A-- and end with --\w+-Z--

my config:
[modsec_audit]
CHARSET = UTF-8
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LINE_BREAKER = --\w+-A--
disabled = false
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = --\w+-Z--
TRUNCATE = 0

or BREAK_ONLY_BEFORE_DATE = true instead MUST_BREAK_AFTER.

but it's all wrong and i see events like "Stopwatch: 1482404729925426 2897 (- - -)" for example, or starting from .

Shark2112 · ‎12-26-2016

trouble was in MAX_EVENTS, that's why i have truncated events

View solution in original post

Shark2112 · ‎12-26-2016

trouble was in MAX_EVENTS, that's why i have truncated events

somesoni2 · ‎12-23-2016

Something like this would work fine

[modsec_audit]
category = Custom
LINE_BREAKER = ([\r\n]+)(?=--\w+-A-)
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
MAX_TIMESTAMP_LOOKAHEAD = 26

niketn · ‎12-22-2016

I copied your data twice to a dummy log file and modified time to mark separate events. I was able to get two events just by adding BREAK_ONLY_BEFORE condition on top of SHOULD_LINEMERGE=true

[modsec_audit]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=--d021db15-A--

Please let me know if this is what you expect.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Shark2112 · ‎12-26-2016

I made separated index and add file with same sourcetype and all work fine, it's so strange. I will check the difference and write after.

How to edit props.conf to line break modsecurity events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation