Escape string values from json input in pipeline

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I log nginx via json to graylog and it is working fine. But now I detected that on some messages i have a small problem.
The messages results from an attack vector, where the request is displayed as

“request”: “\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000”,

eg, unicode encoded zero. The problem: when I set it to a message field “request” the message field is empty because of 0 string.

I didn’t found any way to print the escaped string as above into a field. The example above is taken from the original message I parsed with json.

When I try to use urldecode same, because it requires a string as input which is empty after to_string(), too… Using a default value does not help - default is only used when input is null - but input isn’t null…

Any ideas?

Thanks

That doesn’t look like valid data. Can you share more info about how this data is sent to graylog? Also what does the json you are parsing look like?

It is part of a json:

{ “nginx_timestamp”: “2023-09-07T17:44:41+00:00”, “remote_addr”: “181.41.206.226”, “connection”: “1863”, “connection_requests”: 1, “body_bytes_sent”: 157, “request_length”: 0, “request_time”: 0.074, “response_status”: 400, “request”: “\u0000\u0000\u0002\u0000”, “request_method”: “”, “host”: “",“upstream_cache_status”: “”,“upstream_addr”: “”,“http_x_forwarded_for”: “”,“http_referrer”: “”, “http_user_agent”: “”, “http_version”: “”, “remote_user”: “”, “http_server_name”: "”, “http_server_port”: “8443”, “http_x_forwarded_proto”: “”, “upstream_response_time”: “”, “nginx_access”: true }

In the example I posted here the content of the json-field “request” is a bit different but this is how this messages looks like. And as said: the problem is that I can’t avoid that the “request” field is interpreted.

Even that graylogs displays it escaped … All fields from message above are set into the message in pipeline, only the “request” field keeps NULL.

Thats interesting. Is it intended that the request field have data that looks like that? And does it ALWAYS look like that or only sometimes?

What is your intention with parsing it?

Unfortunately graylog does not have a way to parse that directly.

No, this is of course not all. this is just the result when an attacker tries to send weird data - nginx just records this data as request of course regular data are parsed perfect and I get nice looking log entries.

example: when you do a “telnet your-webserver 443” and then just type a few signs and hit enter you will see this in logs. the attacker just send multiple utf-8-non-printable characters to check if there is a vulnerable software listening on this port.

ok, i think, there should be an option for “to_string” that non-printable characters are converted into into something like what graylog show me in the original message …

Rajko

Processing pipelines does let you “cast” field types. You can use to_string.

This blog post is a good starting point for parsing and pipeline stuff: Graylog Parsing Rules and AI Oh My!

No. to_string does not help because it converts all these “\u0000” to a string containing the ascii value 0, eg, an empty string.
Parsing the JSON isn’t a problem. I can’t parse this as described in this article because it parses the result of to_string - an empty string. After all, I can’t avoid the conversion to (char)0. Value 0, not letter 0.

Eg, I’m missing a parameter “escape_nonprintable=(yes|no)” for to_string and wonder that graylog displays the original message like shown above but I can’t do it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.