Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby exception occurred: Invalid FieldReference: `auditLogTrailer[messages] #47

Open
mtudisco49 opened this issue Aug 12, 2019 · 4 comments
Open

Ruby exception occurred: Invalid FieldReference: `auditLogTrailer[messages] #47

mtudisco49 opened this issue Aug 12, 2019 · 4 comments

Comments

@mtudisco49
Copy link
Contributor

mtudisco49 commented Aug 12, 2019
edited

auditLogTrailer.messages { "tag": "OWASP_CRS/WEB_ATTACK/XSS", "id": "973338", "msg": "XSS Filter - Category 3: Javascript URI Vector", "file": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf", "line": "28", "data": "Matched Data: astyle_ found within ARGS:themeId: deandastyle_WAR_deandastyletheme", "severity": "CRITICAL", "info": "Warning. Pattern match "(?i)((?:=|U\sR\sL\s*\()\s*[^>]\sS\sC\sR\sI\sP\sT\s:|:|[\s\S]allowscriptaccess[\s\S]|[\s\S]src[\s\S]|[\s\S]data:text\/html[\s\S]|[\s\S]xlink:href[\s\S]|[\s\S]base64[\s\S]|[\s\S]xmlns[\s\S]|[\s\S]xht ..." at ARGS:themeId." }, { "id": "981204", "msg": "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=0, XSS=5): XSS Filter - Category 3: Javascript URI Vector", "file": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf", "line": "37", "info": "Warning. Operator GE matched 5 at TX:inbound_anomaly_score." }
@mtudisco49
Copy link
Contributor Author

Hi,

first of all, thank you very much for providing this repo! This helped me a lot.

I'm currently having an issue with some log data in sectionPartH not generating the fild modsecSeverity

in the logstash log i get:
[ERROR][logstash.filters.ruby ] Ruby exception occurred: Invalid FieldReference: auditLogTrailer[messages]

however when i see the data severity is there

auditLogTrailer.messages { "tag": "OWASP_CRS/WEB_ATTACK/XSS", "id": "973338", "msg": "XSS Filter - Category 3: Javascript URI Vector", "file": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf", "line": "28", "data": "Matched Data: astyle_ found within ARGS:themeId: deandastyle_WAR_deandastyletheme", "severity": "CRITICAL", "info": "Warning. Pattern match "(?i)((?:=|U\\sR\\sL\\s*\\()\\s*[^>]\\sS\\sC\\sR\\sI\\sP\\sT\\s:|:|[\\s\\S]allowscriptaccess[\\s\\S]|[\\s\\S]src[\\s\\S]|[\\s\\S]data:text\\/html[\\s\\S]|[\\s\\S]xlink:href[\\s\\S]|[\\s\\S]base64[\\s\\S]|[\\s\\S]xmlns[\\s\\S]|[\\s\\S]xht ..." at ARGS:themeId." }, { "id": "981204", "msg": "Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=0, XSS=5): XSS Filter - Category 3: Javascript URI Vector", "file": "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf", "line": "37", "info": "Warning. Operator GE matched 5 at TX:inbound_anomaly_score." }

Any idea out there?

Best regards

@mtudisco49
Copy link
Contributor Author

mtudisco49 commented Aug 13, 2019
edited

Hi, i manage to find a workarround.
i changed file "2089_filter_section_h_example_severities.conf"
from:

filter {

  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # Proceed to extract all distinct "severities"
  # and store them in a top-level "modsecSeverities" array
  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  if [rawSectionH] =~ /.+/ {

    # extract distinct severities from the messages built in 2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf
    ruby {
      code => "
          modsecSeverities = Set.new
          trailerMsgs = event.get('auditLogTrailer[messages]')
          trailerMsgs.each {|m|
            if m.key?('severity')
              modsecSeverities.add(m['severity'])
            end
          }
          event.set('modsecSeverities', modsecSeverities.to_a)
        "
    }
  }

}

to:

filter {
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # Proceed to extract all distinct "severities"
  # and store them in a top-level "modsecSeverities" array
 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  if [rawSectionH] =~ /.+/ {
    # extract distinct severities from the messages built in ```
2080_filter_section_h_parse_messages_to_auditLogTrailerMessages.conf
    ruby {
      code => "
          modsecSeverities = Set.new
#          trailerMsgs = event.get('auditLogTrailer[messages]')
          pepe = event.get('auditLogTrailer')
          trailerMsgs = pepe['messages']
          trailerMsgs.each {|m|
            if m.key?('severity')
              modsecSeverities.add(m['severity'])
            end
          }
          event.set('modsecSeverities', modsecSeverities.to_a)
        "
    }
  }
}

@bitsofinfo
Copy link
Owner

Please submit a PR if this fix goes beyond your particular use-case and would benefit others. Also please describe your setup (logstash version, modsec version etc)

@cukal
Copy link

cukal commented Jan 20, 2020

I ran into the same issue using:

CentOS7 3.10.0-1062.4.3.el7.x86_64
mod_security 2.9.2
Logstash 7.5.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cukal @bitsofinfo @mtudisco49