Arcsight flexConnector for Apache with modsecurity

flexconnector apache with modsecurity
flexconnector apache with modsecurity

The parser requires a little improvement, but in general, it processes 90% of incoming events.

##################### # ### TESTSOFT.NET ### # ############################
###	ArcSight Parser For Apache and ModSecurity Stock Logformat v1.0	###

regex=(httpd)(?:\\[.*\\])?:\\s(.*)

token.count=2
token[0].name=type
token[0].type=String
token[1].name=body
token[1].type=String

event.deviceVendor=__stringConstant("apache")
event.deviceProduct=__stringConstant("webserver")
event.sourceUserPrivileges=__stringConstant("apache")
event.deviceProcessName=__stringConstant("apache")

event.flexString2=body
event.flexString2Label=__stringConstant("raw")
event.name=type
event.message=body

submessage.messageid.token=type
submessage.token=body
submessage.count=1

submessage[0].messageid=httpd
submessage[0].pattern.count=3

### Example ### 1.1.1.1 - - [03/Sep/2020:14:43:38 +0000] "GET /000000000000 HTTP/1.1" 404 40460 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
submessage[0].pattern[0].regex=(\\d+.\\d+.\\d+.\\d+)\\s+-\\s+(.*)\\s+\\[(.*)\\]\\s+\\"(\\w+)\\s+(.*)\\s+HTTP\\/\\d.\\d\\"\\s+(\\d+)\\s+(\\d+)\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\".*
submessage[0].pattern[0].mappings=$1|$2|$3|$4|$5|$6|$7|$8|$9
submessage[0].pattern[0].fields=event.attackerAddress,event.targetUserName,event.deviceCustomString1,event.requestMethod,event.requestUrl,event.deviceCustomString2,event.bytesOut,event.deviceCustomString3,event.deviceCustomString4
submessage[0].pattern[0].extramappings=event.deviceEventClassId\=__concatenate($4,":",$6)|event.message\=__concatenate($6," ",$4," ",$5)|event.deviceSeverity=$6|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString2Label=__stringConstant("status")|event.deviceCustomString3Label=__stringConstant("http_referer")|event.deviceCustomString4Label=__stringConstant("http_user_agent")

#$1		-	event.attackerAddress		-	$remote_addr
#$2		-	event.targetUserName		-	$remote_user
#$3		-	event.deviceCustomString1	-	$time_local
#$4		-	event.requestMethod			-	
#$5		-	event.requestUrl			-	
#$6		-	event.deviceCustomString2	-	$status
#$7		-	event.bytesOut			-	$body_bytes_sent
#$8		-	event.deviceCustomString3	-	$http_referer
#$9		-	event.deviceCustomString4	-	$http_user_agent

### Example ### 1.1.1.1 - - [03/Sep/2020:14:56:25 +0000] "-" 408 559 "-" "-"
submessage[0].pattern[1].regex=(\\d+.\\d+.\\d+.\\d+)\\s+-\\s+(.*)\\s+\\[(.*)\\]\\s+\\"(.*)"\\s+(\\d+)\\s+(\\d+)\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\".*
submessage[0].pattern[1].mappings=$1|$2|$3|$4|$5|$6|$7|$8
submessage[0].pattern[1].fields=event.attackerAddress,event.targetUserName,event.deviceCustomString1,event.requestUrl,event.deviceCustomString2,event.bytesOut,event.deviceCustomString3,event.deviceCustomString4
submessage[0].pattern[1].extramappings=event.deviceEventClassId\=__concatenate("-",":",$5)|event.message\=__concatenate($5," ","-"," ",$4)|event.deviceSeverity=$5|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString2Label=__stringConstant("status")|event.deviceCustomString3Label=__stringConstant("http_referer")|event.deviceCustomString4Label=__stringConstant("http_user_agent")


######### ModSecurity Apache Mod #########
submessage[0].pattern[2].regex=.*\\[(.*)]\\s+\\[:error\\].*\\[client\\s+(\\d+.\\d+.\\d+.\\d+)\\:(\\d+)\\].*ModSecurity:\\s+((Access\\s+denied|Warning)?.*)\\[file\\s+\\"([^"]+)\\"\\](?:.*line\\s+\\"([^"]+)\\"\\])?(?:.*id\\s+\\"([^"]+)\\"\\])?.*msg\\s+\\"([^"]+)\\"\\](?:.*data\\s+\\"([^"]+)\\"\\])?(?:.*severity\\s+\\"([^"]+)\\"\\])?(?:.*tag\\s+\\"OWASP_CRS\\/([^"]+)\\"\\])?(?:.*uri\\s+\\"([^"]+)\\"\\])?(?:.*unique_id\\s+\\"([^"]+)\\"\\])?(?:.*referer:\\s+([^\\s]+))?.*
submessage[0].pattern[2].mappings=$1|$2|$3|$4|$5|$6|$7|$8|$9|$10|$11|$12|$13|$14|$15
submessage[0].pattern[2].fields=event.deviceCustomString1,event.attackerAddress,event.attackerPort,event.message,event.deviceAction,event.filePath,event.flexNumber1,event.flexNumber2,event.name,event.flexString1,event.deviceSeverity,event.deviceCustomString5,event.requestUrl,event.externalId,event.deviceCustomString3
submessage[0].pattern[2].extramappings=event.deviceProduct=__stringConstant("waf")|event.message\=__concatenate($4,$10)|event.deviceSeverity=__toLowerCase($11)|event.deviceProcessName=__stringConstant("modsecurity")|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString3Label=__stringConstant("referer")|event.deviceCustomString5Label=__stringConstant("owasp_crs")|event.flexNumber1Label=__stringConstant("rule_line")|event.flexNumber2Label=__stringConstant("rule_id")|event.flexString1Label=__stringConstant("data")

#$1	-	event.deviceCustomString1	-	time_local
#$2	-	event.attackerAddress
#$3	-	event.attackerPort
#$4	-	event.message
#$5	-	event.deviceAction
#$6	-	event.filePath
#$7	-	event.flexNumber1		-	line
#$8	-	event.flexNumber2		-	id
#$9	-	event.name
#$10	-	event.flexString1		-	data
#$11	-	event.deviceSeverity
#$12	-	event.deviceCustomString5	-	owasp_crs
#$13	-	event.requestUrl
#$14	-	event.externalId		-	unique_id
#$15	-	event.deviceCustomString3	-	referer

##### TMP FOR DEBUG #####
#submessage[1].pattern.count=1
#submessage[1].pattern[0].regex=(.*)
#submessage[1].pattern[0].fields=event.message
#submessage[1].pattern[0].extramappings=event.reason=__stringConstant("unparsed apache")