parsing error

[markuman]

first, sorry. I can not think of any better subject.

we're using this apache log format

grep -rni LogFormat /etc/apache2/* | grep common
apache2.conf:208:LogFormat "%h %l %u %t \"%r\" %>s %O" common

and parsing it with this python code

combine_parser = apache_log_parser.make_parser("%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"")
common_parser = apache_log_parser.make_parser("%h %l %u %t \"%r\" %>s %O")

try:
    dataset = combine_parser(rawData)
except:
    dataset = common_parser(rawData)

during some penetration tests on our systems, we got this apache log line

1.2.3.4 - - [20/Nov/2018:16:17:59 +0100] "GET //${%23w%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23w.print('Nessus%20Response:%20'),%23w.println('struts_2_3_14_3_command_execution-2092796018'),%23w.flush(),%23w.close()}.action HTTP/1.1" 404 698

which returns the error message

ValueError: invalid literal for int() with base 10: "%20'),%23w.println('struts_2_3_14_3_command_execution-2092796018'),%23w.flush(),%23w.close()}.action"

It looks like that we need to escape some characters in this string? But which one?

It looks like it gets missinterpreted at the : character.

escaping with escaped = rawData.translate(str.maketrans({":": r"\:"})) doesn't work. Any ideas?