Arcsight flexConnector for Nginx with Bitrix – testsoft.net – информационная безопасность

##################### # ### TESTSOFT.NET ### # ############################
###    ArcSight Parser For Nginx and Bitrix Stock Logformat v1.0	###

regex=(nginx):\\s(.*)

token.count=2
token[0].name=type
token[0].type=String
token[1].name=body
token[1].type=String

event.deviceVendor=__stringConstant("nginx")
event.deviceProduct=__stringConstant("webserver")
event.sourceUserPrivileges=__stringConstant("nginx")
event.deviceProcessName=__stringConstant("nginx")

event.flexString2=body
event.name=type
event.message=body

submessage.messageid.token=type
submessage.token=body
submessage.count=1

submessage[0].messageid=nginx
submessage[0].pattern.count=5


#1.1.1.1 - - [29/Aug/2020:15:38:17 -0400] "GET /test/test/ HTTP/1.1" 401 597 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 OPR/70.0.3728.106" "-" "-"
submessage[0].pattern[0].regex=(\\d+.\\d+.\\d+.\\d+)\\s+-\\s+(.*)\\s+\\[(.*)\\]\\s+\\"(\\w+)\\s+(.*)\\s+HTTP\\/\\d.\\d\\"\\s+(\\d+)\\s+(\\d+)\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\".*
submessage[0].pattern[0].mappings=$1|$2|$3|$4|$5|$6|$7|$8|$9|$10
submessage[0].pattern[0].fields=event.attackerAddress,event.targetUserName,event.deviceCustomString1,event.requestMethod,event.requestUrl,event.deviceCustomString2,event.bytesOut,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5
submessage[0].pattern[0].extramappings=event.deviceEventClassId\=__concatenate($4,":",$6)|event.message\=__concatenate($6," ",$4," ",$5)|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString2Label=__stringConstant("status")|event.deviceCustomString3Label=__stringConstant("http_referer")|event.deviceCustomString4Label=__stringConstant("http_user_agent")|event.deviceCustomString5Label=__stringConstant("http_x_forwarded_for")|event.deviceCustomString6Label=__stringConstant("http_x_forwarded_for")

#$1	-	event.attackerAddress		-	$remote_addr
#$2	-	event.targetUserName		-	$remote_user
#$3	-	event.deviceCustomString1	-	$time_local
#$4	-	event.requestMethod			-	
#$5	-	event.requestUrl			-	
#$6	-	event.deviceCustomString2	-	$status
#$7	-	event.bytesOut				-	$body_bytes_sent
#$8	-	event.deviceCustomString3	-	$http_referer
#$9	-	event.deviceCustomString4	-	$http_user_agent
#$10	-	event.deviceCustomString5	-	$http_x_forwarded_for


#1.1.1.1 - - [29/Aug/2020:21:42:14 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 173 "-" "-" "-" "-"
submessage[0].pattern[1].regex=(\\d+.\\d+.\\d+.\\d+)\\s+-\\s+(.*)\\s+\\[(.*)\\]\\s+\\"(.*)\\"\\s+(\\d+)\\s+(\\d+)\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\".*
submessage[0].pattern[1].mappings=$1|$2|$3|$4|$5|$6|$7|$8|$9
submessage[0].pattern[1].fields=event.attackerAddress,event.targetUserName,event.deviceCustomString1,event.requestUrl,event.deviceCustomString2,event.bytesOut,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5
submessage[0].pattern[1].extramappings=event.deviceEventClassId\=__concatenate("-",":",$5)|event.message\=__concatenate($5," ","-"," ",$4)|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString2Label=__stringConstant("status")|event.deviceCustomString3Label=__stringConstant("http_referer")|event.deviceCustomString4Label=__stringConstant("http_user_agent")|event.deviceCustomString5Label=__stringConstant("http_x_forwarded_for")|event.deviceCustomString6Label=__stringConstant("http_x_forwarded_for")

#$1		-	event.attackerAddress		-	$remote_addr
#$2		-	event.targetUserName		-	$remote_user
#$3		-	event.deviceCustomString1	-	$time_local
#$4		-	event.requestUrl			-	
#$5		-	event.deviceCustomString2	-	$status
#$6		-	event.bytesOut				-	$body_bytes_sent
#$7		-	event.deviceCustomString3	-	$http_referer
#$8		-	event.deviceCustomString4	-	$http_user_agent
#$9		-	event.deviceCustomString5	-	$http_x_forwarded_for

######## NGINX STOCK ERROR ##########

#2020/08/29 04:44:28 [error] 5881#0: *93 user "admin": password mismatch, client: 1.1.1.1, server: usa-digital-2, request: "GET / HTTP/1.1", host: "1.1.1.1:80"
submessage[0].pattern[2].regex=(.*)\\s+\\[(\\w+)].*(user\\s\\"([^"]+)".*client:\\s(\\d+.\\d+.\\d+.\\d+)).*"(\\w+)\\s([^\\s]+).*".*
submessage[0].pattern[2].mappings=$1|$2|$3|$4|$5|$6|$7
submessage[0].pattern[2].fields=event.deviceCustomString1,event.deviceSeverity,event.message,event.targetUserName,event.attackerAddress,event.requestMethod,event.requestUrl
submessage[0].pattern[2].extramappings=event.name\=__concatenate("nginx"," ",$2)|event.deviceCustomString2=$2


#2020/09/24 16:12:21 [error] 27266#0: *3 open() "/usr/share/nginx/html/1111" failed (2: No such file or directory), client: 1.1.1.1, server: rus-just-2, request: "GET /1111 HTTP/1.1", host: "2.2.2.2"
submessage[0].pattern[3].regex=(.*)\\s+\\[(\\w+)]\\s+(.*)\\,\\s+client:\\s+(\\d+.\\d+.\\d+.\\d+).*request:\\s+\\"(\\w+)\\s+(.*)\\s+HTTP.*
submessage[0].pattern[3].mappings=$1|$2|$3|$4|$5|$6
submessage[0].pattern[3].fields=event.deviceCustomString1,event.deviceSeverity,event.message,event.attackerAddress,event.requestMethod,event.requestUrl
submessage[0].pattern[3].extramappings=event.name\=__concatenate("nginx"," ",$2)|event.deviceCustomString2=$2

######## ENF OF NGINX STOCK ERROR ##########

############ BITRIX NGINX STOCK ################

#1.1.1.1 - - [12/Sep/2020:13:24:09 +0300 - -] 200 "GET /bitrix/js/intranet/sidepanel/bindings/images/task_edit_bg.min.svg HTTP/1.1" 605 "http://1.1.1.1/bitrix/js/intranet/sidepanel/bindings/mask.min.css?159985698714512" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 OPR/70.0.3728.178" "-"
submessage[0].pattern[4].regex=(\\d+.\\d+.\\d+.\\d+)\\s+-\\s+(.*)\\s+\\[(.*)\\s+-\\s+(.*)\\]\\s+(\\d+)\\s+\\"(?:(\\w+)\\s+)?(.*)\\s+HTTP.*\\"\\s+(\\d+)\\s+"([^"]+)\\"\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\".*
submessage[0].pattern[4].mappings=$1|$2|$3|$4|$5|$6|$7|$8|$9|$10|$11
submessage[0].pattern[4].fields=event.attackerAddress,event.targetUserName,event.deviceCustomString1,event.deviceCustomString6,event.deviceCustomString2,event.requestMethod,event.requestUrl,event.bytesOut,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5
submessage[0].pattern[4].extramappings=event.deviceEventClassId\=__concatenate($6,":",$5)|event.message\=__concatenate($5," ",$6," ",$7)|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString2Label=__stringConstant("status")|event.deviceCustomString3Label=__stringConstant("http_referer")|event.deviceCustomString4Label=__stringConstant("http_user_agent")|event.deviceCustomString5Label=__stringConstant("http_x_forwarded_for")|event.deviceCustomString6Label=__stringConstant("upstream_response_time")|event.deviceProduct=__stringConstant("bitrix")

#$1	-	event.attackerAddress		-	$remote_addr
#$2	-	event.targetUserName		-	$remote_user
#$3	-	event.deviceCustomString1	-	$time_local
#$4	-	event.deviceCustomString6	-	$upstream_response_time
#$5	-	event.deviceCustomString2	-	$status
#$6	-	event.requestMethod		-	
#$7	-	event.requestUrl
#$8	-	event.bytesOut			-	$body_bytes_sent
#$9	-	event.deviceCustomString3	-	$http_referer
#$10	-	event.deviceCustomString4	-	$http_user_agent
#$11	-	event.deviceCustomString5	-	$http_x_forwarded_for

############ END OF BITRIX NGINX STOCK ################

#submessage[1].pattern.count=1
#submessage[1].pattern[0].regex=(.*)
#submessage[1].pattern[0].fields=event.message
#submessage[1].pattern[0].extramappings=event.reason=__stringConstant("unparsed")