mhf-ir/nginx_error.vrl

## nginx_error.vrl
nginx_error , err = parse_nginx_log(.message, "error")
if err == null {

  if is_string(nginx_error.request) {
    method_path, err = parse_regex(nginx_error.request, r'^(?P<method>[A-Z]+) (?P<path>[^\s]+)')
    if err == null {
      nginx_error.method = method_path.method
      nginx_error.path = method_path.path
    }
  }

  nginx_error.refererMode = 0
  if is_string(nginx_error.referer) && nginx_error.referer != "" {
    nginx_error.host = string!(nginx_error.host)
    nginx_error.referer = string!(nginx_error.referer)
    referer, err = parse_url(nginx_error.referer)
    if err == null {
        nginx_error.refererMode = 2 # valid referer
        nginx_error.refererHost = string!(referer.host)
        if is_string(nginx_error.host) && is_string(nginx_error.refererHost) {
            if nginx_error.host == nginx_error.refererHost {
              nginx_error.refererMode = 3 # exact same
            } else if contains(nginx_error.host, nginx_error.refererHost) || contains(nginx_error.refererHost, nginx_error.host) {
              nginx_error.refererMode = 4 # contain
            } else {
              nginx_error.refererMode = 5 # different
            }
        }
    } else {
        nginx_error.refererMode = 1 # invalid referer
    }
  }

  NAXSI_EXLOG, err = parse_regex(nginx_error.message, r'^NAXSI_EXLOG: (?P<queries>[^\s]+)')
  if err == null {
    NAXSI_EXLOG, err = parse_query_string(NAXSI_EXLOG.queries)
    .NAXSI_EXLOG = []
    if err == null {
        for_each(NAXSI_EXLOG) -> |_index, value| {
          d = {}
          d.key = _index
          d.value = value
          .NAXSI_EXLOG = push(.NAXSI_EXLOG, d)
        }
    }
  }

  NAXSI_FMT, err = parse_regex(nginx_error.message, r'^NAXSI_FMT: (?P<queries>[^\s]+)')
  if err == null {
    NAXSI_FMT, err = parse_query_string(NAXSI_FMT.queries)
    .NAXSI_FMT = []
    if err == null {
        for_each(NAXSI_FMT) -> |_index, value| {
          d = {}
          d.key = _index
          d.value = value
          .NAXSI_FMT = push(.NAXSI_FMT, d)
        }
    }
  }
}
	nginx_error , err = parse_nginx_log(.message, "error")
	if err == null {

	if is_string(nginx_error.request) {
	method_path, err = parse_regex(nginx_error.request, r'^(?P<method>[A-Z]+) (?P<path>[^\s]+)')
	if err == null {
	nginx_error.method = method_path.method
	nginx_error.path = method_path.path
	}
	}

	nginx_error.refererMode = 0
	if is_string(nginx_error.referer) && nginx_error.referer != "" {
	nginx_error.host = string!(nginx_error.host)
	nginx_error.referer = string!(nginx_error.referer)
	referer, err = parse_url(nginx_error.referer)
	if err == null {
	nginx_error.refererMode = 2 # valid referer
	nginx_error.refererHost = string!(referer.host)
	if is_string(nginx_error.host) && is_string(nginx_error.refererHost) {
	if nginx_error.host == nginx_error.refererHost {
	nginx_error.refererMode = 3 # exact same
	} else if contains(nginx_error.host, nginx_error.refererHost) \|\| contains(nginx_error.refererHost, nginx_error.host) {
	nginx_error.refererMode = 4 # contain
	} else {
	nginx_error.refererMode = 5 # different
	}
	}
	} else {
	nginx_error.refererMode = 1 # invalid referer
	}
	}

	NAXSI_EXLOG, err = parse_regex(nginx_error.message, r'^NAXSI_EXLOG: (?P<queries>[^\s]+)')
	if err == null {
	NAXSI_EXLOG, err = parse_query_string(NAXSI_EXLOG.queries)
	.NAXSI_EXLOG = []
	if err == null {
	for_each(NAXSI_EXLOG) -> \|_index, value\| {
	d = {}
	d.key = _index
	d.value = value
	.NAXSI_EXLOG = push(.NAXSI_EXLOG, d)
	}
	}
	}

	NAXSI_FMT, err = parse_regex(nginx_error.message, r'^NAXSI_FMT: (?P<queries>[^\s]+)')
	if err == null {
	NAXSI_FMT, err = parse_query_string(NAXSI_FMT.queries)
	.NAXSI_FMT = []
	if err == null {
	for_each(NAXSI_FMT) -> \|_index, value\| {
	d = {}
	d.key = _index
	d.value = value
	.NAXSI_FMT = push(.NAXSI_FMT, d)
	}
	}
	}
	}