modsecurity Log Parser

This modsecurity parser support modsecurity logs from apache2 error log.

(Not tested with Nginx yet).

1onsuccess: next_stage

2filter: evt.Parsed.program == 'modsecurity'

3name: crowdsecurity/modsecurity

4#debug: true

5description: A parser for modsecurity WAF

6pattern_syntax:

7 APACHEERRORPREFIX2: "\\[%{APACHEERRORTIME:timestamp}\\] \\[%{NOTSPACE:apacheseverity}\\] (\\[pid %{INT}(:tid %{INT})?\\] )?\\[(client|remote) %{IPORHOST:sourcehost}(:%{INT:source_port})?\\] (\\[client %{IPORHOST}\\])?"

8 NGINXERRORPREFIX: "%{NGINXERRTIME:time} \\[%{LOGLEVEL:loglevel}\\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\\*%{NONNEGINT:cid} )?(\\[client %{IPORHOST}\\] )?"

9 NGINXERRORSUFFIX: "client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}\"(, upstream: \"%{DATA:upstream}\")?(, host: \"%{IPORHOST}(:%{INT})?\")?"

10 MODSECNGINXPREFIX: "%{NGINXERRORPREFIX}ModSecurity: ((?:%{NOTSPACE:modsecseverity}\\. )?(?:Access denied with code %{INT:http_code} \\(phase %{INT:phase}\\)\\. )?)?%{GREEDYDATA:modsecmessage}"

11 MODSECPREFIX2: "%{APACHEERRORPREFIX2} ModSecurity: ((?:%{NOTSPACE:modsecseverity}\\. )?(?:Access denied with code %{INT:http_code} \\(phase %{INT:phase}\\)\\. )?)?%{GREEDYDATA:modsecmessage}"

12 MODSECRULEFILE2: "\\[file \"%{DATA:rulefile}\"\\]"

13 MODSECRULELINE2: "\\[line \"%{DATA:ruleline}\"\\]"

14 MODSECMATCHOFFSET2: "\\[offset \"%{DATA:matchoffset}\"\\]"

15 MODSECRULEID2: "\\[id \"%{DATA:ruleid}\"\\]"

16 MODSECRULEREV2: "\\[rev \"%{DATA:rulerev}\"\\]"

17 MODSECRULEMSG2: "\\[msg \"%{DATA:rulemessage}\"\\]"

18 MODSECRULEDATA2: "\\[data \"%{DATA:ruledata}\"\\]"

19 MODSECRULESEVERITY2: "\\[severity \"%{DATA:ruleseverity}\"\\]"

20 MODSECRULEMATURITY: "\\[maturity \"%{DATA:maturity}\"\\]"

21 MODSECRULEACCURACY: "\\[accuracy \"%{DATA:accuracy}\"\\]"

22 MODSECRULEVERS2: "\\[ver \"%{DATA:version}\"\\]"

23 MODSECRULETAGS2: "(?:\\[tag \"%{DATA:ruletag0}\"\\] )?(?:\\[tag \"%{DATA:ruletag1}\"\\] )?(?:\\[tag \"%{DATA:ruletag2}\"\\] )?(?:\\[tag \"%{DATA:ruletag3}\"\\] )?(?:\\[tag \"%{DATA:ruletag4}\"\\] )?(?:\\[tag \"%{DATA:ruletag5}\"\\] )?(?:\\[tag \"%{DATA:ruletag6}\"\\] )?(?:\\[tag \"%{DATA:ruletag7}\"\\] )?(?:\\[tag \"%{DATA:ruletag8}\"\\] )?(?:\\[tag \"%{DATA:ruletag9}\"\\] )?(?:\\[tag \"%{DATA}\"\\] )*"

24 MODSECHOSTNAME2: "\\[hostname ['\"]%{DATA:targethost}[\"']\\]"

25 MODSECURI2: "\\[uri [\"']%{DATA:targeturi}[\"']\\]"

26 MODSECUID2: "\\[unique_id \"%{DATA:uniqueid}\"\\]"

27 MODSECREF2: "\\[ref \"%{DATA:ref}\"\\]"

28 MODSECAPACHEERROR2: "%{MODSECPREFIX2} %{MODSECRULEFILE2} %{MODSECRULELINE2} (?:%{MODSECMATCHOFFSET2} )?(?:%{MODSECRULEID2} )?(?:%{MODSECRULEREV2} )?(?:%{MODSECRULEMSG2} )?(?:%{MODSECRULEDATA2} )?(?:%{MODSECRULESEVERITY2} )?(?:%{MODSECRULEVERS2} )?%{MODSECRULETAGS2}%{MODSECHOSTNAME2} %{MODSECURI2} %{MODSECUID2}"

29 MODSECNGINXERROR: "%{MODSECNGINXPREFIX} %{MODSECRULEFILE2} %{MODSECRULELINE2} (?:%{MODSECMATCHOFFSET2} )?(?:%{MODSECRULEID2} )?(?:%{MODSECRULEREV2} )?(?:%{MODSECRULEMSG2} )?(?:%{MODSECRULEDATA2} )?(?:%{MODSECRULESEVERITY2} )?(?:%{MODSECRULEVERS2} )?(?:%{MODSECRULEMATURITY} )?(?:%{MODSECRULEACCURACY} )?%{MODSECRULETAGS2}%{MODSECHOSTNAME2} %{MODSECURI2} %{MODSECUID2} %{MODSECREF2}(?:, | while sending to client, )%{NGINXERRORSUFFIX}"

31nodes:

32 - grok:

33 name: MODSECAPACHEERROR2

34 apply_on: message

35 statics:

36 - meta: log_type

37 value: modsecurity

38 - meta: source_ip

39 expression: evt.Parsed.sourcehost

40 - target: evt.StrTime

41 expression: evt.Parsed.timestamp

42 - meta: rule_id

43 expression: evt.Parsed.ruleid

44 - meta: modsec_message

45 expression: evt.Parsed.rulemessage

46 - meta: modsec_ruledata

47 expression: evt.Parsed.ruledata

48 - meta: modsec_phase

49 expression: evt.Parsed.phase

50 - meta: http_code

51 expression: evt.Parsed.http_code

52 - grok:

53 name: MODSECNGINXERROR

54 apply_on: message

55 statics:

56 - meta: log_type

57 value: modsecurity

58 - meta: source_ip

59 expression: evt.Parsed.remote_addr

60 - target: evt.StrTime

61 expression: evt.Parsed.time

62 - meta: rule_id

63 expression: evt.Parsed.ruleid

64 - meta: modsec_message

65 expression: evt.Parsed.rulemessage

66 - meta: modsec_ruledata

67 expression: evt.Parsed.ruledata

68 - meta: modsec_phase

69 expression: evt.Parsed.phase

70 - meta: http_code

71 expression: evt.Parsed.http_code

Hub configuration

« modsecurity »
v1.3 by crowdsecurity
Log parser

Hub configuration

« modsecurity »v1.3 by crowdsecurityLog parser

« modsecurity »
v1.3 by crowdsecurity
Log parser