You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is there any recommence in forward Modsecurity Audit log in json format from an agent to wazuh manager?
I saw that Wazuh support Json decoder by default but i can't figure out how to implement it to get the Modsecurity audit log into the wazuh manager and visualize it on the dashboard.
I attach the modsecurity audit log in json below: {"transaction":{"client_ip":"10.1.0.4","time_stamp":"Sat Jun 15 12:12:40 2024","server_id":"a08d0c6eb6ece1374de508f878dfe6894859c17f","client_port":57090,"host_ip":"10.1.0.5","host_port":80,"unique_id":"171845356027.087146","request":{"method":"GET","http_version":1.1,"uri":"/vulnerabilities/sqli/?id=%27+OR+1%3D1%3B&Submit=Submit","headers":{"Host":"dvwa.test","Connection":"keep-alive","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","Cookie":"PHPSESSID=cjnb1igrvgsvmjo3qblkdkboo3; security=low","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer":"http://dvwa.test/vulnerabilities/sqli/","Accept-Encoding":"gzip, deflate","Accept-Language":"en-US,en;q=0.9"}},"response":{"body":"\u001F?\b","http_code":200,"headers":{"Server":"nginx/1.26.1","Date":"Sat, 15 Jun 2024 12:12:40 GMT","Content-Length":"141","Expires":"Thu, 19 Nov 1981 08:52:00 GMT","Content-Type":"text/html; charset=UTF-8","Connection":"keep-alive","Cache-Control":"no-store, no-cache, must-revalidate","Pragma":"no-cache","Vary":"Accept-Encoding","Content-Encoding":"gzip"}},"producer":{"modsecurity":"ModSecurity v3.0.12 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"DetectionOnly","components":["OWASP_CRS/4.4.0-dev\""]},"messages":[{"message":"SQL Injection Attack Detected via libinjection","details":{"match":"detected SQLi using libinjection.","reference":"v30,9","ruleId":"942100","file":"/etc/nginx/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf","lineNumber":"46","data":"Matched Data: s&1; found within ARGS:id: ' OR 1=1;","severity":"2","ver":"OWASP_CRS/4.4.0-dev","rev":"","tags":["application-multi","language-multi","platform-multi","attack-sqli","paranoia-level/1","OWASP_CRS","capec/1000/152/248/66","PCI/6.5.2"],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 5)","details":{"match":"Matched \"Operator Ge' with parameter 5' against variable TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: 5' )","reference":"","ruleId":"949110","file":"/etc/nginx/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"222","data":"","severity":"0","ver":"OWASP_CRS/4.4.0-dev","rev":"","tags":["anomaly-evaluation","OWASP_CRS"],"maturity":"0","accuracy":"0"}}]}}
The text was updated successfully, but these errors were encountered:
Is there any recommence in forward Modsecurity Audit log in json format from an agent to wazuh manager?
I saw that Wazuh support Json decoder by default but i can't figure out how to implement it to get the Modsecurity audit log into the wazuh manager and visualize it on the dashboard.
I attach the modsecurity audit log in json below:
{"transaction":{"client_ip":"10.1.0.4","time_stamp":"Sat Jun 15 12:12:40 2024","server_id":"a08d0c6eb6ece1374de508f878dfe6894859c17f","client_port":57090,"host_ip":"10.1.0.5","host_port":80,"unique_id":"171845356027.087146","request":{"method":"GET","http_version":1.1,"uri":"/vulnerabilities/sqli/?id=%27+OR+1%3D1%3B&Submit=Submit","headers":{"Host":"dvwa.test","Connection":"keep-alive","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","Cookie":"PHPSESSID=cjnb1igrvgsvmjo3qblkdkboo3; security=low","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Referer":"http://dvwa.test/vulnerabilities/sqli/","Accept-Encoding":"gzip, deflate","Accept-Language":"en-US,en;q=0.9"}},"response":{"body":"\u001F?\b","http_code":200,"headers":{"Server":"nginx/1.26.1","Date":"Sat, 15 Jun 2024 12:12:40 GMT","Content-Length":"141","Expires":"Thu, 19 Nov 1981 08:52:00 GMT","Content-Type":"text/html; charset=UTF-8","Connection":"keep-alive","Cache-Control":"no-store, no-cache, must-revalidate","Pragma":"no-cache","Vary":"Accept-Encoding","Content-Encoding":"gzip"}},"producer":{"modsecurity":"ModSecurity v3.0.12 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"DetectionOnly","components":["OWASP_CRS/4.4.0-dev\""]},"messages":[{"message":"SQL Injection Attack Detected via libinjection","details":{"match":"detected SQLi using libinjection.","reference":"v30,9","ruleId":"942100","file":"/etc/nginx/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf","lineNumber":"46","data":"Matched Data: s&1; found within ARGS:id: ' OR 1=1;","severity":"2","ver":"OWASP_CRS/4.4.0-dev","rev":"","tags":["application-multi","language-multi","platform-multi","attack-sqli","paranoia-level/1","OWASP_CRS","capec/1000/152/248/66","PCI/6.5.2"],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 5)","details":{"match":"Matched \"OperatorGe' with parameter5' against variableTX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value:5' )","reference":"","ruleId":"949110","file":"/etc/nginx/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"222","data":"","severity":"0","ver":"OWASP_CRS/4.4.0-dev","rev":"","tags":["anomaly-evaluation","OWASP_CRS"],"maturity":"0","accuracy":"0"}}]}}The text was updated successfully, but these errors were encountered: