Getting Data In

How to edit props.conf to line break modsecurity events?

Communicator

Hey guys. I want modsecurity events in Splunk, but can't make right config.

I have events like this:

--d021db15-A--
[22/Dec/2016:12:46:22 +0300] WFug7n8AAAEAAAgUFKYAAABM 192.168.13.2 58507 192.168.13.141 80
--d021db15-B--
GET /?param=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 192.168.13.141
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
If-None-Match: "13-54429b1b62789"
If-Modified-Since: Wed, 21 Dec 2016 11:45:49 GMT

--d021db15-F--
HTTP/1.1 304 Not Modified
Last-Modified: Wed, 21 Dec 2016 11:45:49 GMT
ETag: "13-54429b1b62789"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

--d021db15-E--

--d021db15-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header i

r: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.23 (Unix) PHP/5.6.29
Engine-Mode: "DETECTION_ONLY"

--d021db15-Z--

so it's start from --\w+-A-- and end with --\w+-Z--

my config:
[modsec_audit]
CHARSET = UTF-8
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LINE_BREAKER = --\w+-A--
disabled = false
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = --\w+-Z--
TRUNCATE = 0

or BREAK_ONLY_BEFORE_DATE = true instead MUST_BREAK_AFTER.

but it's all wrong and i see events like "Stopwatch: 1482404729925426 2897 (- - -)" for example, or starting from .

0 Karma
1 Solution

Communicator

trouble was in MAX_EVENTS, that's why i have truncated events

View solution in original post

0 Karma

Communicator

trouble was in MAX_EVENTS, that's why i have truncated events

View solution in original post

0 Karma

Revered Legend

Something like this would work fine

[modsec_audit]
category = Custom
LINE_BREAKER = ([\r\n]+)(?=--\w+-A-)
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
MAX_TIMESTAMP_LOOKAHEAD = 26

Legend

I copied your data twice to a dummy log file and modified time to mark separate events. I was able to get two events just by adding BREAK_ONLY_BEFORE condition on top of SHOULD_LINEMERGE=true

[modsec_audit]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=--d021db15-A--

Please let me know if this is what you expect.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Communicator

I made separated index and add file with same sourcetype and all work fine, it's so strange. I will check the difference and write after.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!