Last year I took a look at generating Mod_Security audit logs as JSON data, rather than the module’s native format (which is… err… difficult to parse). My initial approach was incomplete, needlessly introduced additional dependencies, and leaked like a sieve; I ended up abandoning this to work on FreeWAF. Some new use uses came up that would benefit from more structured Mod_Security audit logs, so I’ve revamped a patch to emit JSON data using a more sane approach.
My new approach uses the included YAJL library, which contains a fast, streaming JSON generator. The API is relatively simple, and with a few macros added for simplicity, it’s easy to stream in new key-value pairs and manipulate arrays and maps.
The generated JSON contains five primary top-level keys: transaction (corresponding to SecLogAuditPart ‘A’), request (containing maps for request headers and body content, as well as the sanitized request line), response (response status, headers, and body), audit_data (SecLogAuditPart ‘H’ data), and matched_rules (represented as a JSON array). Below is an beautified example of an audit log entry generated from a simple rule designed to mitigate an ongoing spoofed Googlebot WordPress login bruteforce botnet:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
{ "transaction" : { "transaction_id" : "VbJ9aH8AAQEAAHN3OTcAAABA", "time" : "24/Jul/2015:11:01:12 --0700", "remote_port" : 34094, "local_address" : "127.0.0.1", "local_port" : 80, "remote_address" : "127.0.0.1" }, "request" : { "headers" : { "User-Agent" : "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Accept" : "*/*", "Host" : "localhost" }, "request_line" : "POST /wp-login.php HTTP/1.1" }, "response" : { "protocol" : "HTTP/1.1", "status" : 403, "headers" : { "Content-Type" : "text/html; charset=iso-8859-1", "Content-Length" : "288" } }, "audit_data" : { "engine_mode" : "ENABLED", "server" : "Apache/2.4.7 (Ubuntu)", "stopwatch" : { "sr" : 0, "sw" : 0, "p5" : 20, "p1" : 300, "p3" : 0, "p4" : 0, "p2" : 0, "gc" : 0, "l" : 0 }, "producer" : "ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/)", "action" : { "message" : "String match \"POST\" at REQUEST_METHOD.", "phase" : 1, "intercepted" : true } }, "matched_rules" : [ { "rules" : [ { "actionset" : { "id" : "12345", "is_chained" : true, "chain_starter" : true, "tags" : [ "BRUTEFORCE/WORDPRESS" ], "phase" : 1 }, "config" : { "line_num" : 221, "filename" : "/etc/modsecurity/modsecurity.conf" }, "is_matched" : true, "unparsed" : "SecRule \"REQUEST_URI\" \"@streq /wp-login.php\" \"phase:1,auditlog,chain,nolog,id:12345,deny,tag:BRUTEFORCE/WORDPRESS+1\"", "operator" : { "operator" : "streq", "operator_param" : "/wp-login.php", "target" : "REQUEST_URI", "negated" : false } }, { "actionset" : { "is_chained" : true, "phase" : 1, "tags" : [ "BOTNET" ] }, "is_matched" : true, "unparsed" : "SecRule \"REQUEST_HEADERS:User-Agent\" \"@streq Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\" \"chain\"", "config" : { "filename" : "/etc/modsecurity/modsecurity.conf", "line_num" : 222 }, "operator" : { "negated" : false, "target" : "REQUEST_HEADERS:User-Agent", "operator" : "streq", "operator_param" : "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" } }, { "operator" : { "negated" : false, "target" : "REQUEST_METHOD", "operator_param" : "POST", "operator" : "streq" }, "actionset" : { "phase" : 1, "is_chained" : false }, "config" : { "line_num" : 223, "filename" : "/etc/modsecurity/modsecurity.conf" }, "is_matched" : true, "unparsed" : "SecRule \"REQUEST_METHOD\" \"@streq POST\"" } ], "chain" : true, "full_chain_match" : true } ] } |
And the corresponding Mod_Security rules:
|
1 2 3 4 |
#fake googlebot wp-login brute (https://www.cryptobells.com/fake-googlebot-wordpress-login-bruteforce/) SecRule REQUEST_URI "@streq /wp-login.php" "chain,phase:1,nolog,id:12345,deny,tag:BRUTEFORCE/WORDPRESS" SecRule REQUEST_HEADERS:User-Agent "@streq Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "chain,tag:BOTNET" SecRule REQUEST_METHOD "@streq POST" |
Of note, new functions were added for generating stopwatch and producer data in JSON format. Request/response sanitation is also properly handled, using the same memory overwrites that native logging employs.
YAJL’s generator allocator provides the ability for users to specify a struct containing function pointers to memory allocation routines to replace the default (malloc, realloc, and free). This patch does not leverage that or the available APR pools, largely to simplify the changeset, and because performance testing indicated no significant difference between the two. Indeed, benchmark tests for both patched JSON and natively audit log generation shows no significant difference; JSON logging maybe be slightly more performant because it contains only a single atomic write (native audit logs may make several dozen or hundred write syscalls). The choice to buffer the entire audit log entry and call a single write is based on the desire to avoid having broken JSON structures written to disk.
Building with this patch is straightforward; just configure with –enable-json-logging=yes and build Configuring this option is straightforward, with a new configuration option ‘SecAuditLogFormat’, which takes the string ‘Native’ or ‘JSON’:
|
1 2 3 4 5 |
# configure native audit logs (default) SecAuditLogFormat Native #configure audit logs to write JSON: SecAuditLogFormat JSON |
Audit log data is not written in a beautified fashion (what a pointless endeavor would that have been!), and is newline-separated. I’ve submitted a pull request for this patch, though I’m not holding my breath, as the json_logging branch on upstream looks like the developers want to enable a runtime option for enabling JSON logging, an approach this patch now follows. I’m hoping people find this useful, and will happily entertain comments/requests regarding the structure and data points present within the generated entries.
Update: Since posting this, I’ve made a few updates to the json_logging_audit branch, including removing the compile-time flag, and updating the matched_rules portion of the structure (see this commit for more details). The example audit log entry shown above is the correct version of the data emitted.
Did the maintainers of modsec agreed to merging the pull to include this on their main branch of modsec? Thank you very much for the amazing work!
Thanks! I hope people have been able to take advantage of this!
This patch hasn’t yet been merged into the master branch at https://github.com/SpiderLabs/ModSecurity; the tags on the pull request indicate that it’s planned for merge into ModSecurity 2.9.1. Additionally, I’ve been in talks with members of the development community; their focus is making sure that the previously-designed JSON logging structure that’s planned for libmodsecurity (e.g. ModSecurity 3.0) and the structure I’ve presented are identical. I believe they are planning on a new minor release of ModSecurity in Q1 2016, so hopefully we will see this added into ModSecurity proper within the next few months!
In Some Cases Mod-Security produce invalid json audit log, its happens when we enable request and response header.
Can we encode request and response header with base64 encoding
Thanks
I think a saner approach will be to escape the data with
log_escape_ex(or similar). It’s on my radar, but I haven’t gotten there yet. Patches welcome 🙂What’s the transport mechanism to get these logs off the box or is there one?
That question is relevant more to the underlying log writer mechanism, and not the data format in which logs are written. ModSecurity does provide mlogc to ship logs to a remote server, but I haven’t looked at compatibility with JSON formatting. I’ve seen a number of methods to transport audit logs, including lumberjack, filebeat, and hand-rolled transporters (think rsync wrappers 😉 ).