Re: [Simple-evcorr-users] Regex Pattern Matching in SEC

Mon, 25 Nov 2013 07:33:50 -0800 

On Mon, 25 Nov 2013, termvrl term wrote:


Hi All,

I'm new to SEC. i try to do some pattern matching using regex.

Here is my sample logs:

192.168.0.13|<131>Nov 22 06:15:36 ubuntu apache-errors: [Fri Nov 22
06:15:33 2013] [error] [client 192.168.0.111] ModSecurity: Warning.
Pattern match "\\\\balert\\\\b\\\\W*?\\\\(" at ARGS:name. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"]
[line "148"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting
(XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag
"WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag
"OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]
[hostname "192.168.0.13"] [uri "/dvwa/vulnerabilities/xss_r/"]
[unique_id "Uo9nBX8AAQEAAASiAh8AAAAA"]

What i try to is, to match the words in the logs, Cross-site Scripting
AND CRITCAL.

I have check this regex with online checker, it can mathced, but
unfortunately not able to match in SEC.

pattern=(Cross-site Scripting \(XSS\)|CRITICAL)


This matches 'Cross-site Scripting (XSS)' OR 'CRITICAL' not and

pattern=Cross-site Scripting \(XSS\).*CRITICAL

should require a log with both in it.

David Lang
------------------------------------------------------------------------------

Shape the Mobile Experience: Free Subscription

Software experts and developers: Be at the forefront of tech innovation.

Intel(R) Software Adrenaline delivers strategic insight and game-changing 

conversations that shape the rapidly evolving mobile landscape. Sign up now. 

http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________

Simple-evcorr-users mailing list

Simple-evcorr-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users


------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to