[Simple-evcorr-users] Correlate multiple modsecurity alert.

termvrl term Sun, 01 Dec 2013 07:35:53 -0800

Hi all,

i have working on correlate the alert from modsecurity.
when i simulate XSS attacks, modsec will generate alert and it will match
with SQL rule and XSS rule. So, i want to use SEC to correlate if detect
both signature then, use write action to log a new message. Here is conf
file.


# Rule to match XSS attack.
# SQL + XSS

type=Pair
ptype=RegExp
pattern=sql_injection_attacks
desc=$0
action=write - SQL rule matched
ptype2=RegExp
pattern2=xss_attacks\s*CRITICAL
desc2=$0
action2=write - XSS matched
window=5

The problem is it detect only the first pattern, and the second pattern
never matched. Is it because the modsecurity generate it with same
timestamp?

Attach is the sample log that i want to correlate.

Thanks
Term

12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?([\\\\d\\\\w]+)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?\\\\2|([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\
 ..." at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data 
"script>alert"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag 
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag 
"PCI/6.5.2"] [hostname "192.168.0.13"] [uri "/dvwa/vulnerabilities/xss_r/"] 
[unique_id "UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"\\\\W{4,}" at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection 
Alert - Repetative Non-Word Characters"] [data "\\x22)</"] [hostname 
"192.168.0.13"] [uri "/dvwa/vulnerabilities/xss_r/"] [unique_id 
"UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){4,}"
 at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character 
Anomaly Detection Alert - Total # of special characters exceeded"] [data ">"] 
[hostname "192.168.0.13"] [uri "/dvwa/vulnerabilities/xss_r/"] [unique_id 
"UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?\\\\*.+(?:x?or|div|like|between|and|id)\\\\W*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\d)|(?:\\\\^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:^[\\\\w\\\\s\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98-]+(?<=and\\\\s)(?<=or|xor
 ..." at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
 [line "257"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] 
[data ">alert(\\x22H"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [hostname 
"192.168.0.13"] [uri "/dvwa/vulnerabilities/xss_r/"] [unique_id 
"UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"\\\\balert\\\\b\\\\W*?\\\\(" at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line 
"148"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] 
[data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag 
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag 
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "192.168.0.13"] [uri 
"/dvwa/vulnerabilities/xss_r/"] [unique_id "UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match "\\\\< 
?script\\\\b" at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line 
"196"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] 
[data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag 
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag 
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "192.168.0.13"] [uri 
"/dvwa/vulnerabilities/xss_r/"] [unique_id "UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"\\\\balert\\\\b\\\\W*?\\\\(" at REQUEST_URI. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line 
"393"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] 
[data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag 
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag 
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "192.168.0.13"] [uri 
"/dvwa/vulnerabilities/xss_r/"] [unique_id "UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match "\\\\< 
?script\\\\b" at REQUEST_URI. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line 
"457"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] 
[data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag 
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag 
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "192.168.0.13"] [uri 
"/dvwa/vulnerabilities/xss_r/"] [unique_id "UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h
 ..." at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line 
"556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML 
Tag Handler"] [data "<script>"] [hostname "192.168.0.13"] [uri 
"/dvwa/vulnerabilities/xss_r/"] [unique_id "UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"(fromcharcode|alert|eval)\\\\s*\\\\(" at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line 
"646"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "alert("] 
[hostname "192.168.0.13"] [uri "/dvwa/vulnerabilities/xss_r/"] [unique_id 
"UpryQX8AAQEAAANgBZwAAAAE"]
12/1/2013 4:24:42 PM     UDP Traffic Received from 192.168.0.13: 
192.168.0.13|<131>Dec  1 00:24:42 ubuntu apache-errors: [Sun Dec 01 00:24:33 
2013] [error] [client 192.168.0.111] ModSecurity: Warning. Pattern match 
"(?i:<script.*?>)" at ARGS:name. [file 
"/etc/modsecurity/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line 
"757"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] 
[data "<script>"] [hostname "192.168.0.13"] [uri 
"/dvwa/vulnerabilities/xss_r/"] [unique_id "UpryQX8AAQEAAANgBZwAAAAE"]

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

[Simple-evcorr-users] Correlate multiple modsecurity alert.

Reply via email to