mod_sec audit logs are atrocious. There have been a few attempts to make parsing audit data more palatable- BitsOfInfo recently wrote up a proof of concept of working through audit logs with logstash, and the AuditConsole project from JWall provides a more comprehensive approach to collecting log data, but neither solutions addresses the inherent problem of how messy native audit log data is.
As part of my Master’s thesis I need a way to efficiently audit, sort and store audit logs; building my own parser, while doable, would be a waste of time, so I’ve forked the ModSecurity project on Github and built a patch that implements JSON logging directly in the application, replacing the old data log structures entirely. There’s still a long way to go, but the initial patch seems stable and produces valid JSON. Below is an example log entry using the core CRS in DetectionOnly mode:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
{ "Transaction":{ "Time":"06\/May\/2014:02:36:45 --0700", "Transaction ID":"vcAcAcAcA0AcAcAbAcAuAcA5", "Remote Address":"38.122.20.226", "Remote Port":8397, "Local Address":"127.0.0.1", "Local Port":80 }, "Request":"GET \/?%3Cscript HTTP\/1.1", "Request Headers":{ "Host":"www.cryptobells.com", "Connection":"keep-alive", "Accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8", "User-Agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/34.0.1847.132 Safari\/537.36", "Accept-Encoding":"gzip,deflate,sdch", "Accept-Language":"en-US,en;q=0.8,de;q=0.6" }, "Response":{ "Protocol":"HTTP\/1.1", "Status":"200 OK" }, "Response Headers":{ "X-Pingback":"https:\/\/www.cryptobells.com\/xmlrpc.php", "Content-Type":"text\/html; charset=UTF-8", "Connection":"keep-alive", "Server":"ModSecurity Standalone" }, "Response Body":"to be added...", "Messages":[ { "Actionset Message":"Warning", "Rule Message":"Pattern match \"\\\\< ?script\\\\b\" at ARGS_NAMES:<script.", "Actionset Data":{ "File":"\/etc\/modsecurity\/modsecurity.conf", "Line":2164, "ID":"958051", "Rev":"2", "Msg":"Cross-site Scripting (XSS) Attack", "Data":"Matched Data: <script found within ARGS_NAMES:<script: <script", "Severity":2, "Ver":"OWASP_CRS\/2.2.9", "Maturity":8, "Accuracy":8, "Tags":[ "OWASP_CRS\/WEB_ATTACK\/XSS", "WASCTC\/WASC-8", "WASCTC\/WASC-22", "OWASP_TOP_10\/A2", "OWASP_AppSensor\/IE1", "PCI\/6.5.1" ] } }, { "Actionset Message":"Warning", "Rule Message":"Operator GE matched 5 at TX:inbound_anomaly_score.", "Actionset Data":{ "File":"\/etc\/modsecurity\/modsecurity.conf", "Line":2814, "ID":"981204", "Msg":"Inbound Anomaly Score Exceeded (Total Inbound Score: 5, SQLi=0, XSS=5): Cross-site Scripting (XSS) Attack" } } ], "Stopwatch":"combined=105794, p1=729, p2=1753, p3=3, p4=103135, p5=173, sr=82, sw=1, l=0, gc=0", "Response-Body-Transformed: Dechunked":1, "Producer Header":{ "Producer":"ModSecurity for nginx (STABLE)\/2.8.0-RC1 (http:\/\/www.modsecurity.org\/)", "Additional Producers":[ "OWASP_CRS\/2.2.9" ] }, "Engine Mode":"DETECTION_ONLY", "Matched Rules":[ ...[snip]... { "Rule":"SecRule \"REQUEST_COOKIES|!REQUEST_COOKIES:\/__utm\/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:\/*\" \"@pmFromFile modsecurity_40_generic_attacks.data\" \"phase:2,id:981133,rev:2,ver:OWASP_CRS\/2.2.9,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1\"", "IsChained":false }, { "Rule":"SecRule \"REQUEST_COOKIES|!REQUEST_COOKIES:\/__utm\/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:\/*\" \"@rx \\\\< ?script\\\\b\" \"phase:2,log,rev:2,ver:OWASP_CRS\/2.2.9,maturity:8,accuracy:8,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:958051,tag:OWASP_CRS\/WEB_ATTACK\/XSS,tag:WASCTC\/WASC-8,tag:WASCTC\/WASC-22,tag:OWASP_TOP_10\/A2,tag:OWASP_AppSensor\/IE1,tag:PCI\/6.5.1,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:2,setvar:tx.msg=%{rule.msg},setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS\/WEB_ATTACK\/XSS-%{matched_var_name}=%{tx.0}\"", "IsChained":false } ] } |
Right now every matched rule is being logged, so I snipped the majority of matches for brevity’s sake (again, keeping in mind this is the stock CRS). Getting this patch made was a two-part process; editing the log writer to build JSON instead of writing out to the audit file was easy. The hard part was spelunking through the disruption functions to find out where ruleset data is pushed onto an APR array (hint- the same functionality is called three different times, and the one that applies to audit logs isn’t the one called “perform_disruptive_action”… go figure). This meant changing a few helper functions to build and return JSON objects instead of strings; a future pull request might include some function duplication and allow for a compile-time option of traditional or JSON logging, but that’s a bit out of scope of what I wanted to get done initially.
Building this requires the JSON-C library; I’ve updated the autoconf files to include this library in the make process, and it’s building on my test system, but my make-fu is amateur, and this could use another pair of eyes. I’ve also only tested this on my proxy setup so far (using Nginx as a reverse proxy), so a lot more testing needs to be done before building it into a production Apache deployment, but the core idea of JSON logging is there. The branch is available here if anyone’s interested in taking a look.
Update: I’ve revisited and refactored this approach.
Nice approach and thank you for going into a new direction with these logs.