diff --git a/honeytraps/waf_elk/misp-push/misp-push.py b/honeytraps/waf_elk/misp-push/misp-push.py index b67a3b6..00dd966 100755 --- a/honeytraps/waf_elk/misp-push/misp-push.py +++ b/honeytraps/waf_elk/misp-push/misp-push.py @@ -1,6 +1,7 @@ #!.venv/bin/python3 # -*- coding: utf-8 -*- from datetime import datetime, timedelta, timezone +from dateutil import tz from elasticsearch_async import AsyncElasticsearch #from elasticsearch import Elasticsearch, TransportError from urllib3.exceptions import ConnectTimeoutError @@ -11,44 +12,57 @@ import time import os import logging -from typing import Callable, Any +from typing import Callable, Any, Tuple from pymisp import PyMISPError, ExpandedPyMISP, MISPEvent, MISPTag import requests -def unixTimeStamp(dt): - return dt.isoformat() - #return dt.replace(tzinfo=timezone.utc).timestamp() -class MispEvent(object): - '''MISP event object on MISP''' +class ModsecLog(): + '''Helps to get certain data out of the Modsec JSON Logs''' + log: dict = None - ##Event consists of distribution, information, analysis and threat - # The distribution setting used for the attributes and for the newly created event, if relevant. [0-3]. - distrib = 0 + def __init__(self, json_log): + self.log = json_log['_source'] - # Used to populate the event info field if no event ID supplied. - info = 'This is event generated from PyMISP' + def parseModsecDate(self, dateTime: str) -> datetime: + '''Parses ModSecurity log's shitty date string into datetime. + Example: "15/Jan/2020:09:46:15 +0000" ''' + parts = dateTime.split(":") + end = parts[3].split(" ") + date = parts[0].split("/") - # The analysis level of the newly created event, if applicable. [0-2] - analysis = 0 + # Splitting to get values + day = date[0] + month = self.__monthToNum__(date[1]) + year = date[2] + hour = parts[1] + minute = parts[2] + second = end[0] + # Calculating tz Offset to create tzinfo + tzModifier = end[1][0:1] + tzhours = end[1][1:3] + tzminutes = end[1][3:4] + offsetInSeconds = (int(tzminutes)*60 + int(tzhours)*60*60) + offsetInSeconds = offsetInSeconds if (tzModifier == "+") else -offsetInSeconds + tzLocal = tz.tzoffset('', offsetInSeconds) + return datetime(int(year), int(month), int(day), int(hour), int(minute), int(second), tzinfo=tzLocal) - # The threat level ID of the newly created event, if applicable. [1-4] - threat = 1 + def __monthToNum__(self, month: str) -> int: + months = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'] + return months.index(month) + 1 + + def getRequestLine(self) -> Tuple[str, str, str]: + '''returns [http_method, url, http_version] ''' + request = self.log['request']['request_line'].split(" ") + return (request[0], request[1], request[2]) - """docstring for MispEvent""" - def __init__(self, distribution,info,analysis,threat): - super(MispEvent, self).__init__() - self.distrib = distribution - self.info = info - self.analysis = analysis - self.threat = threat class MispConnector(): # TODO: Switch to ExpandedPyMISP misp = None tagsGenerated = False def __init__(self, url, apiKey): self.misp = ExpandedPyMISP(url, apiKey, MISP_VERIFYCERT, debug=False) - self.generate_misp_tags + self.generate_misp_tags() log.info("MISP tags generated") def generate_misp_tags(self) -> bool: @@ -61,16 +75,14 @@ def generate_misp_tags(self) -> bool: log.warning("could not connect to MISP") return False - def send_misp_event(self, misp_event): - try: - event = self.misp.new_event(misp_event.distrib, misp_event.threat, misp_event.analysis, misp_event.info) - self.misp.add_tag(event, 'AutoGenerated', attribute=False) - self.misp.add_tag(event, 'HoneytrapEvent', attribute=False) - self.misp.add_tag(event, 'ModSecurity', attribute=False) - log.debug(event) - except PyMISPError as e: - log.warning("could not connect to MISP") - return False + def send_misp_event(self, json_log): + logEvent = ModsecLog(json_log) + event = self.generate_event(logEvent) + #self.misp.add_tag('AutoGenerated') + #self.misp.add_tag('HoneytrapEvent') + #self.misp.add_tag('ModSecurity') + self.misp.add_event(event) + log.debug(event) def generate_event_info(self, json_log): attacker_ip_address = json.dumps(json_log['_source']['transaction']['remote_address']) @@ -81,9 +93,27 @@ def generate_event_info(self, json_log): event_info = "Attack identified from the "+attacker_ip_address+" at timestamp "+transaction_time+" "+audit_data+" This information is generated from "+audit_data_producer return event_info - def generate_event(self, json_log): - misp_event_info = self.generate_event_info(json_log) - return MispEvent(0,misp_event_info,0,1) + def generate_event(self, modsecLog: ModsecLog) -> MISPEvent: + event = MISPEvent() + event.info = "test" + #self.misp.add_attribute() + #event.add_attribute(type='ip-src', value=, pythonify=True) + event.add_attribute(type='ip-src|port', value=str(modsecLog.log['transaction']['remote_address']) + "|" + str(modsecLog.log['transaction']['remote_port']), comment="Attacker", pythonify=True) + event.add_attribute(type='ip-dst|port', value=str(modsecLog.log['transaction']['local_address']) + "|" + str(modsecLog.log['transaction']['local_port']), comment="Server", pythonify=True) + event.add_attribute(type='datetime', value=modsecLog.parseModsecDate(modsecLog.log['transaction']['time']).isoformat(), pythonify=True) + + [http_method, url, http_version] = modsecLog.getRequestLine() + #event.add_attribute(type='comment', value=json_log['transaction']['time'], pythonify=True) + #event.add_attribute(type='text', value=json_log['transaction']['time'], pythonify=True) + #json_log['audit_data']['producer'] + event.add_attribute(type='http-method', value=http_method, pythonify=True) + event.add_attribute(type='url', value=url, pythonify=True) + #event.add_attribute(type='vulnerability', value=json_log['transaction']['time'], pythonify=True) + + #event.add_tag() + log.debug("elasticsearch data") + log.debug(json.dumps(modsecLog.log, indent=2)) + return event class ElasticConnector(): @@ -119,7 +149,7 @@ async def wait_until_up(self) -> None: await asyncio.sleep(1) async def search(self, start: datetime, end: datetime) -> bool: - return await self.es.search(index=self.index,body={'query':{'range':{'@timestamp':{'gte':unixTimeStamp(start),'lt':'now'}}}}) + return await self.es.search(index=self.index,body={'query':{'range':{'@timestamp':{'gte':start.isoformat(),'lt':'now'}}}}) class Watcher(): dataUploaded = None @@ -141,16 +171,16 @@ async def run(self): log.debug('Got %d Hits:' % res['hits']['total']['value']) self.sendEvents(res) self.lastSearched = datetime.now() - except PyMISPError as e: - log.warning("Failed to connect to MISP, error: " + str(e)) + #except PyMISPError as e: + # log.warning("Failed to connect to MISP, error: " + str(e)) except ConnectTimeoutError as e: log.warning("Failed querying ElasticSearch, error: " + str(e)) except ConnectionRefusedError as e: log.warning("Transaction failed, error: " + str(e)) except ConnectionError as e: log.warning("Connection error: " + str(e)) - except Exception as e: - log.error("Unknown error: " + str(e)) + #except Exception as e: + # log.error("Unknown error: " + str(e)) await asyncio.sleep(self.WATCH_INTERVAL) async def queryElastic(self): @@ -159,9 +189,7 @@ async def queryElastic(self): def sendEvents(self, results): for event in results['hits']['hits']: log.debug('Index is ' + event['_index']) - misp_event_obj = self.misp.generate_event(event) - log.debug('=====================================================') - self.misp.send_misp_event(misp_event_obj) + self.misp.send_misp_event(event) log.info("New Events sent to MISP") @@ -189,4 +217,643 @@ def sendEvents(self, results): loop = asyncio.get_event_loop() loop.run_until_complete(watcher.run()) loop.close() - \ No newline at end of file + + +# Example data point from Elasticsearch +''' +{ + "_index": "filebeat-2020.01.15", + "_type": "_doc", + "_id": "WIKYqG8BMWcproZX3UER", + "_score": 1.0, + "_source": { + "response": { + "status": 403, + "headers": { + "Content-Length": "209", + "Set-Cookie": "(null)=Admin:0", + "Content-Type": "text/html; charset=iso-8859-1" + }, + "protocol": "HTTP/1.1", + "body": "\n\n403 Forbidden\n\n

Forbidden

\n

You don't have permission to access /\non this server.
\n

\n\n" + }, + "agent": { + "type": "filebeat", + "version": "7.4.2", + "id": "0b76fcce-607c-45ab-8b85-792f119897b5", + "ephemeral_id": "54984de0-233a-4e2b-83a9-3a9052902b92", + "hostname": "41b6e484c5f9" + }, + "error_messages": { + "message-7": { + "line": "803", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "ver": "OWASP_CRS/3.2.0", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "hostname": "localhost", + "type": "ModSecurity: Warning", + "client": "172.17.0.1", + "pattern": "Pattern match \"(?i:[\\\\\\\\\"'`]\\\\\\\\\\\\\\\\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\\\\\\\\\\\\\\\\|\\\\\\\\\\\\\\\\||and|div|&&)\\\\\\\\\\\\\\\\s+[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\w]+=\\\\\\\\\\\\\\\\s*?\\\\\\\\\\\\\\\\w+\\\\\\\\\\\\\\\\s*?having\\\\\\\\\\\\\\\\s+|like(?:\\\\\\\\\\\\\\\\s+[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\w]+=\\\\\\\\\\\\\\\\s*?\\\\\\\\\\\\\\\\w+\\\\\\\\\\\\\\\\s*?having\\\\\\\\\\\\\\\\s+|\\\\\\\\\\\\\\\\W*?[\\\\\\\\\"'`\\\\\\\\\\\\\\\\d])|[^?\\\\\\\\\\\\\\\\w\\\\\\\\\\\\\\\\s=", + "severity": "CRITICAL", + "id": "942260", + "uri": "/", + "level": "3", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/2" + ] + }, + "message-1": { + "line": "59", + "pattern": "detected XSS using libinjection", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "hostname": "localhost", + "severity": "CRITICAL", + "type": "ModSecurity: Warning", + "client": "172.17.0.1", + "ver": "OWASP_CRS/3.2.0", + "id": "941100", + "uri": "/", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A3", + "OWASP_AppSensor/IE1", + "CAPEC-242" + ], + "level": "3" + }, + "message-10": { + "line": "91", + "pattern": "Operator GE matched 5 at TX:anomaly_score", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "severity": "CRITICAL", + "type": "ModSecurity: Access denied with code 403 (phase 2)", + "hostname": "localhost", + "client": "172.17.0.1", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf", + "id": "949110", + "uri": "/", + "level": "3", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-generic" + ] + }, + "message-5": { + "line": "550", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "pattern": "Pattern match \"(?:^\\\\\\\\\\\\\\\\s*[\\\\\\\\\"'`;]+|[\\\\\\\\\"'`]+\\\\\\\\\\\\\\\\s*$)\" at ARGS:q", + "hostname": "localhost", + "type": "ModSecurity: Warning", + "severity": "WARNING", + "client": "172.17.0.1", + "ver": "OWASP_CRS/3.2.0", + "id": "942110", + "uri": "/", + "level": "3", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/2" + ] + }, + "message-8": { + "line": "1526", + "pattern": "Pattern match \"((?:[~!@#\\\\\\\\\\\\\\\\$%\\\\\\\\\\\\\\\\^&\\\\\\\\\\\\\\\\*\\\\\\\\\\\\\\\\(\\\\\\\\\\\\\\\\)\\\\\\\\\\\\\\\\-\\\\\\\\\\\\\\\\+=\\\\\\\\\\\\\\\\{\\\\\\\\\\\\\\\\}\\\\\\\\\\\\\\\\[\\\\\\\\\\\\\\\\]\\\\\\\\\\\\\\\\|:;\\\\\\\\\"'\\\\\\\\xc2\\\\\\\\xb4\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x99\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x98`<>][^~!@#\\\\\\\\\\\\\\\\$%\\\\\\\\\\\\\\\\^&\\\\\\\\\\\\\\\\*\\\\\\\\\\\\\\\\(\\\\\\\\\\\\\\\\)\\\\\\\\\\\\\\\\-\\\\\\\\\\\\\\\\+=\\\\\\\\\\\\\\\\{\\\\\\\\\\\\\\\\}\\\\\\\\\\\\\\\\[\\\\\\\\\\\\\\\\]\\\\\\\\\\\\\\\\|:;\\\\\\\\\"'\\\\\\\\xc2\\\\\\\\xb4\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x99\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x98`<>]*?){6})\" at ARGS:q", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "severity": "WARNING", + "type": "ModSecurity: Warning", + "hostname": "localhost", + "client": "172.17.0.1", + "ver": "OWASP_CRS/3.2.0", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "id": "942431", + "uri": "/", + "level": "3", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/3" + ] + }, + "message-6": { + "line": "628", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "ver": "OWASP_CRS/3.2.0", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "hostname": "localhost", + "client": "172.17.0.1", + "pattern": "Pattern match \"(?i:[\\\\\\\\\\\\\\\\s'\\\\\\\\\"`()]*?([\\\\\\\\\\\\\\\\d\\\\\\\\\\\\\\\\w]++)[\\\\\\\\\\\\\\\\s'\\\\\\\\\"`()]*?(?:<(?:=(?:[\\\\\\\\\\\\\\\\s'\\\\\\\\\"`()]*?(?!\\\\\\\\\\\\\\\\1)[\\\\\\\\\\\\\\\\d\\\\\\\\\\\\\\\\w]+|>[\\\\\\\\\\\\\\\\s'\\\\\\\\\"`()]*?(?:\\\\\\\\\\\\\\\\1))|>?[\\\\\\\\\\\\\\\\s'\\\\\\\\\"`()]*?(?!\\\\\\\\\\\\\\\\1)[\\\\\\\\\\\\\\\\d\\\\\\\\\\\\\\\\w]+)|(?:not\\\\\\\\\\\\\\\\s+(?:regexp|like)|is\\\\\\\\\\\\\\\\s+not|>=?|!=|\\\\\\\\\\\\\\\\^)[\\\\\\\\\\\\\\\\s'\\\\\\\\\"`()]*?(?!\\\\\\\\\\\\\\\\1)[\\\\\\\\\\\\\\\\d\\\\\\\\\\\\\\\\w]+|(?:(?:sounds\\\\\\\\\\\\\\\\s+)?like|r(?:egexp|lik", + "severity": "CRITICAL", + "type": "ModSecurity: Warning", + "id": "942130", + "uri": "/", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/2" + ], + "level": "3" + }, + "message-3": { + "line": "218", + "pattern": "Pattern match \"(?i:(?:<\\\\\\\\\\\\\\\\w[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\S]*[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\/]|['\\\\\\\\\"](?:[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\S]*[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange", + "ver": "OWASP_CRS/3.2.0", + "severity": "CRITICAL", + "type": "ModSecurity: Warning", + "hostname": "localhost", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "client": "172.17.0.1", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "id": "941160", + "uri": "/", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A3", + "OWASP_AppSensor/IE1", + "CAPEC-242" + ], + "level": "3" + }, + "message-4": { + "line": "879", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "pattern": "Pattern match \"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head", + "ver": "OWASP_CRS/3.2.0", + "type": "ModSecurity: Warning", + "hostname": "localhost", + "client": "172.17.0.1", + "severity": "CRITICAL", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "id": "941320", + "uri": "/", + "level": "3", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A2", + "OWASP_AppSensor/IE1", + "PCI/6.5.1", + "paranoia-level/2" + ] + }, + "message-9": { + "line": "1717", + "pattern": "Pattern match \"((?:[~!@#\\\\\\\\\\\\\\\\$%\\\\\\\\\\\\\\\\^&\\\\\\\\\\\\\\\\*\\\\\\\\\\\\\\\\(\\\\\\\\\\\\\\\\)\\\\\\\\\\\\\\\\-\\\\\\\\\\\\\\\\+=\\\\\\\\\\\\\\\\{\\\\\\\\\\\\\\\\}\\\\\\\\\\\\\\\\[\\\\\\\\\\\\\\\\]\\\\\\\\\\\\\\\\|:;\\\\\\\\\"'\\\\\\\\xc2\\\\\\\\xb4\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x99\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x98`<>][^~!@#\\\\\\\\\\\\\\\\$%\\\\\\\\\\\\\\\\^&\\\\\\\\\\\\\\\\*\\\\\\\\\\\\\\\\(\\\\\\\\\\\\\\\\)\\\\\\\\\\\\\\\\-\\\\\\\\\\\\\\\\+=\\\\\\\\\\\\\\\\{\\\\\\\\\\\\\\\\}\\\\\\\\\\\\\\\\[\\\\\\\\\\\\\\\\]\\\\\\\\\\\\\\\\|:;\\\\\\\\\"'\\\\\\\\xc2\\\\\\\\xb4\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x99\\\\\\\\xe2\\\\\\\\x80\\\\\\\\x98`<>]*?){2})\" at ARGS:q", + "ver": "OWASP_CRS/3.2.0", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "type": "ModSecurity: Warning", + "client": "172.17.0.1", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "hostname": "localhost", + "severity": "WARNING", + "id": "942432", + "uri": "/", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/4" + ], + "level": "3" + }, + "message-11": { + "line": "86", + "pattern": "Operator GE matched 5 at TX:inbound_anomaly_score", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "file": "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf", + "type": "ModSecurity: Warning", + "hostname": "localhost", + "client": "172.17.0.1", + "id": "980130", + "uri": "/", + "level": "3", + "tags": [ + "event-correlation" + ] + }, + "message-2": { + "line": "90", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "pattern": "Pattern match \"(?i)]*>[\\\\\\\\\\\\\\\\s\\\\\\\\\\\\\\\\S]*?\" at ARGS:q", + "severity": "CRITICAL", + "hostname": "localhost", + "client": "172.17.0.1", + "type": "ModSecurity: Warning", + "ver": "OWASP_CRS/3.2.0", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "id": "941110", + "uri": "/", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A3", + "OWASP_AppSensor/IE1", + "CAPEC-242" + ], + "level": "3" + }, + "message-0": { + "line": "1391", + "pattern": "Found 9 byte(s) in ARGS:q outside range: 38,44-46,48-58,61,65-90,95,97-122", + "unique_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "severity": "CRITICAL", + "type": "ModSecurity: Warning", + "client": "172.17.0.1", + "ver": "OWASP_CRS/3.2.0", + "hostname": "localhost", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", + "id": "920273", + "uri": "/", + "level": "3", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-protocol", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL_VIOLATION/EVASION", + "paranoia-level/4" + ] + } + }, + "type": "mod_security", + "messages": { + "message-7": { + "line": "803", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/2" + ], + "pattern": "Pattern match \"(?i:[\\\"'`]\\\\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\\\\|\\\\||and|div|&&)\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?having\\\\s+|like(?:\\\\s+[\\\\s\\\\w]+=\\\\s*?\\\\w+\\\\s*?having\\\\s+|\\\\W*?[\\\"'`\\\\d])|[^?\\\\w\\\\s=", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "severity": "CRITICAL", + "type": "Warning", + "ver": "OWASP_CRS/3.2.0", + "id": "942260" + }, + "message-1": { + "line": "59", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A3", + "OWASP_AppSensor/IE1", + "CAPEC-242" + ], + "pattern": "detected XSS using libinjection", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "severity": "CRITICAL", + "ver": "OWASP_CRS/3.2.0", + "type": "Warning", + "id": "941100" + }, + "message-10": { + "line": "91", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-generic" + ], + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf", + "pattern": "Operator GE matched 5 at TX:anomaly_score", + "severity": "CRITICAL", + "type": "Access denied with code 403 (phase 2)", + "id": "949110" + }, + "message-5": { + "line": "550", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/2" + ], + "pattern": "Pattern match \"(?:^\\\\s*[\\\"'`;]+|[\\\"'`]+\\\\s*$)\" at ARGS:q", + "ver": "OWASP_CRS/3.2.0", + "severity": "WARNING", + "type": "Warning", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "id": "942110" + }, + "message-8": { + "line": "1526", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/3" + ], + "pattern": "Pattern match \"((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){6})\" at ARGS:q", + "ver": "OWASP_CRS/3.2.0", + "severity": "WARNING", + "type": "Warning", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "id": "942431" + }, + "message-6": { + "line": "628", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/2" + ], + "pattern": "Pattern match \"(?i:[\\\\s'\\\"`()]*?([\\\\d\\\\w]++)[\\\\s'\\\"`()]*?(?:<(?:=(?:[\\\\s'\\\"`()]*?(?!\\\\1)[\\\\d\\\\w]+|>[\\\\s'\\\"`()]*?(?:\\\\1))|>?[\\\\s'\\\"`()]*?(?!\\\\1)[\\\\d\\\\w]+)|(?:not\\\\s+(?:regexp|like)|is\\\\s+not|>=?|!=|\\\\^)[\\\\s'\\\"`()]*?(?!\\\\1)[\\\\d\\\\w]+|(?:(?:sounds\\\\s+)?like|r(?:egexp|lik", + "ver": "OWASP_CRS/3.2.0", + "severity": "CRITICAL", + "type": "Warning", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "id": "942130" + }, + "message-4": { + "line": "879", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A2", + "OWASP_AppSensor/IE1", + "PCI/6.5.1", + "paranoia-level/2" + ], + "pattern": "Pattern match \"<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head", + "ver": "OWASP_CRS/3.2.0", + "severity": "CRITICAL", + "type": "Warning", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "id": "941320" + }, + "message-3": { + "line": "218", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A3", + "OWASP_AppSensor/IE1", + "CAPEC-242" + ], + "pattern": "Pattern match \"(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "ver": "OWASP_CRS/3.2.0", + "type": "Warning", + "severity": "CRITICAL", + "id": "941160" + }, + "message-9": { + "line": "1717", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-sqli", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/SQL_INJECTION", + "WASCTC/WASC-19", + "OWASP_TOP_10/A1", + "OWASP_AppSensor/CIE1", + "PCI/6.5.2", + "paranoia-level/4" + ], + "pattern": "Pattern match \"((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){2})\" at ARGS:q", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf", + "severity": "WARNING", + "type": "Warning", + "ver": "OWASP_CRS/3.2.0", + "id": "942432" + }, + "message-11": { + "line": "86", + "tags": [ + "event-correlation" + ], + "pattern": "Operator GE matched 5 at TX:inbound_anomaly_score", + "file": "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf", + "type": "Warning", + "id": "980130" + }, + "message-2": { + "line": "90", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-xss", + "OWASP_CRS", + "OWASP_CRS/WEB_ATTACK/XSS", + "WASCTC/WASC-8", + "WASCTC/WASC-22", + "OWASP_TOP_10/A3", + "OWASP_AppSensor/IE1", + "CAPEC-242" + ], + "pattern": "Pattern match \"(?i)]*>[\\\\s\\\\S]*?\" at ARGS:q", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf", + "severity": "CRITICAL", + "type": "Warning", + "ver": "OWASP_CRS/3.2.0", + "id": "941110" + }, + "message-0": { + "line": "1391", + "tags": [ + "application-multi", + "language-multi", + "platform-multi", + "attack-protocol", + "OWASP_CRS", + "OWASP_CRS/PROTOCOL_VIOLATION/EVASION", + "paranoia-level/4" + ], + "pattern": "Found 9 byte(s) in ARGS:q outside range: 38,44-46,48-58,61,65-90,95,97-122", + "ver": "OWASP_CRS/3.2.0", + "severity": "CRITICAL", + "type": "Warning", + "file": "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", + "id": "920273" + } + }, + "request": { + "request_line": "GET /?q=\"> HTTP/1.1", + "headers": { + "User-Agent": "curl/7.68.0", + "Accept": "*/*", + "Host": "localhost:9091" + } + }, + "transaction": { + "time": "15/Jan/2020:09:46:15 +0000", + "local_port": 80, + "local_address": "172.17.0.3", + "remote_port": 45660, + "transaction_id": "Xh7fZ82SreGQgLcD8dkwPAAAAIA", + "remote_address": "172.17.0.1" + }, + "audit_data": { + "engine_mode": "ENABLED", + "stopwatch": { + "p2": 1275, + "p1": 343, + "p5": 196, + "sw": 0, + "sr": 47, + "l": 0, + "p3": 0, + "p4": 0, + "gc": 0 + }, + "server": "Apache", + "handler": "proxy-server", + "action": { + "intercepted": true, + "phase": 2, + "message": "Operator GE matched 5 at TX:anomaly_score." + }, + "response_body_dechunked": true, + "producer": [ + "ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/)", + "OWASP_CRS/3.2.0" + ] + }, + "tags": [ + "beats_input_raw_event", + "_rubyexception" + ], + "log": { + "file": { + "path": "/var/log/modsec_audit_processed.log" + }, + "offset": 556967 + }, + "ecs": { + "version": "1.1.0" + }, + "input": { + "type": "log" + }, + "@timestamp": "2020-01-15T09:46:25.346Z", + "host": { + "name": "41b6e484c5f9" + }, + "@version": "1" + } +} +''' \ No newline at end of file