-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Parsing] Error when parsing url on long value #15
Comments
This log gets parsed OK, and also has whitespaces inside some values
|
Another error on kv [2022-08-02T16:56:19,723][WARN ][logstash.filters.kv ][syslog-fortinet-kv][6616a98f994dfc3cfa890fdb9a33fcd8f9ffe250bb0883f27647cc5bdd285438] Timeout reached in KV filter with value (entry too large to show; showing first 255 characters) `"date=2022-08-02 time=16:55:41 devname="FGT-PLANTA01" devid="FG6H1E5819900604" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="perimetral" eventtime=1659477341611493234 tz="-0500" policyid=214 sessionid=1874365156"`[...]` |
I think I found the original log (taken from faz)
|
Just detected some parsing issue with this log
<185>date=2020-03-28 time=21:37:11 devname="MASTER_CALLEUNO" devid="FG5H1E5818909999" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1585449431 severity="high" srcip=51.81.126.39 srccountry="United States" dstip=192.168.253.169 srcintf="port1" srcintfrole="wan" dstintf="port2" dstintfrole="lan" sessionid=2060097095 action="dropped" proto=6 service="HTTP" policyid=13 attack="HTTP.URI.SQL.Injection" srcport=58637 dstport=80 hostname="somehostname.com" url="/Miercoles/Portal/MME/descargar.aspx?archivo=A1A44AFA-694A-4264-8F8B-14BA4595D993.PDF AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')" direction="outgoing" attackid=15621 profile="all_default" ref="http://www.fortinet.com/ids/VID15621" incidentserialno=1846760869 msg="web_misc: HTTP.URI.SQL.Injection," crscore=30 crlevel="high"
The issue is on
url="/Miercoles/Portal/MME/descargar.aspx?archivo=A1A44AFA-694A-4264-8F8B-14BA4595D993.PDF AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')"
it gets parsed like
fortios.url= "/Miercoles/Portal/MME/descargar.aspx?archivo=A1A44AFA-694A-4264-8F8B-14BA4595D993.PDF
I am missing half of the value. I will do some troubleshooting
The text was updated successfully, but these errors were encountered: