Getting Data In

How to edit props.conf to line break modsecurity events?

Shark2112
Communicator

Hey guys. I want modsecurity events in Splunk, but can't make right config.

I have events like this:

--d021db15-A--
[22/Dec/2016:12:46:22 +0300] WFug7n8AAAEAAAgUFKYAAABM 192.168.13.2 58507 192.168.13.141 80
--d021db15-B--
GET /?param=%3Cscript%3Ealert(1);%3C/script%3E HTTP/1.1
Host: 192.168.13.141
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
If-None-Match: "13-54429b1b62789"
If-Modified-Since: Wed, 21 Dec 2016 11:45:49 GMT

--d021db15-F--
HTTP/1.1 304 Not Modified
Last-Modified: Wed, 21 Dec 2016 11:45:49 GMT
ETag: "13-54429b1b62789"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

--d021db15-E--

--d021db15-H--
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header i

r: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.4.23 (Unix) PHP/5.6.29
Engine-Mode: "DETECTION_ONLY"

--d021db15-Z--

so it's start from --\w+-A-- and end with --\w+-Z--

my config:
[modsec_audit]
CHARSET = UTF-8
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
LINE_BREAKER = --\w+-A--
disabled = false
SHOULD_LINEMERGE = true
MUST_BREAK_AFTER = --\w+-Z--
TRUNCATE = 0

or BREAK_ONLY_BEFORE_DATE = true instead MUST_BREAK_AFTER.

but it's all wrong and i see events like "Stopwatch: 1482404729925426 2897 (- - -)" for example, or starting from .

0 Karma
1 Solution

Shark2112
Communicator

trouble was in MAX_EVENTS, that's why i have truncated events

View solution in original post

0 Karma

Shark2112
Communicator

trouble was in MAX_EVENTS, that's why i have truncated events

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Something like this would work fine

[modsec_audit]
category = Custom
LINE_BREAKER = ([\r\n]+)(?=--\w+-A-)
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = \[
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
MAX_TIMESTAMP_LOOKAHEAD = 26

niketn
Legend

I copied your data twice to a dummy log file and modified time to mark separate events. I was able to get two events just by adding BREAK_ONLY_BEFORE condition on top of SHOULD_LINEMERGE=true

[modsec_audit]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=--d021db15-A--

Please let me know if this is what you expect.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Shark2112
Communicator

I made separated index and add file with same sourcetype and all work fine, it's so strange. I will check the difference and write after.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...