Sadly my skill level isn’t high enough to get this to work.
This is an example of the message
{"transaction":{"client_ip":"172.104.62.117","time_stamp":"Tue Jul 9 18:04:12 2019","server_id":"1c99b919232e4014434ab71b8e9a2d0c917e2a08","client_port":44966,"host_ip":"87.233.198.123","host_port":80,"unique_id":"15626882520.290244","request":{"method":"GET","http_version":1.0,"uri":"/","headers":{}},"response":{"http_code":200,"headers":{"HTTP/1.0":"200 OK","Date":"Tue, 09 Jul 2019 16:04:12 GMT","Upgrade":"h2,h2c","Server":"Apache/2.4.29 (Ubuntu)","Strict-Transport-Security":"max-age=63072000; includeSubDomains","Connection":"Upgrade","Link":"<https://www.edworks.info/index.php?rest_route=/>; rel=\"https://api.w.org/\"","Vary":"Accept-Encoding","Content-Type":"text/html; charset=UTF-8"}},"producer":{"modsecurity":"ModSecurity v3.0.3 (Linux)","connector":"HAProxy Dynamic Update version 1.6 2017/01/25 compiled with HAProxy version 1.8.0-2.0.0-195.864 '2019/06/19'\n","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Request Missing a Host Header","details":{"match":"Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Host' (Value: `0' )","reference":"","ruleId":"920280","file":"/etc/hapee-1.8/modsec.rules.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"579","data":"","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}}
I thought that this should work
rule "duckhunt-modsecurity-concat-alert_v2"
when
has_field("trueserver_document_type") and to_string($message.trueserver_document_type) == "duckhunt-modsecurity"
then
let json_result = parse_json(to_string($message.message));
let json_fields = select_jsonpath(json_result,
{
client_ip: "$.client_ip"
}
);
set_field("client_ip2", json_fields.client_ip);
end
But it doesn’t and it is only one of the fields i want, ruleid which is in a list which makes getting to the first ruleid probably even harder.