modsecurity 2 — disable logging for specific rule ids?

Question

In mod-security2, I want to disable logging for some specific rule-ids (the most frequent false positives from default rules).

I want to keep the rules active for anomaly-scoring, but just turn off logging for some.

How do I do that?

Answer 1

You can use SecRuleUpdateActionById to achieve this.

For example if you have this:

SecRule ARGS attack "phase:2,id:12345,log,pass"
SecRuleUpdateActionById 12345 "pass"

Then you will remove logging. Note this will completely replace the action part of the rule (except the phase and the id), so you will need to copy all the actions of the original rule to SecRuleUpdateActionById. Not sure how sustainable this is in the long term as if you ever update the rules to new version you will need to check none of the actions have changed.

To be honest, noisy logs, is one of the main reasons I don't like anomaly scoring method - I prefer rules to only fire if they mean something so I use standard blocking mode and just disable these noisy rules completely if they frequently give false positives.

Answer 2

To solve this problem, I ended up knocking up a little util-script to turn off logging for specific rule-id's, that cluttered up the log-files too much.

It works well for my needs, but use this at your own peril -- this one is open source for a reason! :)

#!/bin/bash

# Filename: suppress_logging.sh

# From your mod-secure base_rules/ directory, do: mkdir -p ../tools/
# Put this script in that tools/ directory, and run it to turn off logging for specific rules (frequent false alerts)
#
# For example, rule-id 123456 will be "overridden" with a new rule-id 9123456 that does exactly the same thing, but without logging anything (nolog).
#
# For rules defined in a single line, use the function: suppressLoggingForSinglelineRule below.
#
# For rules spanning over multiple lines (including chained-rules), use the function: suppressLoggingForMultilineRule below.

# This script was developed and used for mod-security version: 2.1.9.

cd ../base_rules/

cat /dev/null > z_logging_suppress.TMP
cat /dev/null > z_logging_suppress_multiline.TMP

function suppressLoggingForSinglelineRule(){
  ruleId=$1
  echo Processing suppressLoggingForSinglelineRule $ruleId
  echo SecRuleRemoveById $ruleId    >> z_logging_suppress.TMP
  cat  modsecurity_*.conf | grep $ruleId >> z_logging_suppress.TMP
}

function suppressLoggingForMultilineRule(){
  ruleId=$1
  before=$2
  after=$3
  echo Processing suppressLoggingForMultilineRule $ruleId
  echo SecRuleRemoveById $ruleId                               >> z_logging_suppress_multiline.TMP
  cat  modsecurity_*.conf | grep -B"${before}" -A"${after}" $ruleId >> z_logging_suppress_multiline.TMP
}

suppressLoggingForSinglelineRule 960032
suppressLoggingForSinglelineRule 960034
# ... here add your own annoying rule-ids from the log-files ...
# ...

suppressLoggingForMultilineRule 960010 0  2  # This means the rule spans 0 lines BEFORE the rule-id, and 2 lines AFTER, in the modsecurity_*.conf file, etc.
suppressLoggingForMultilineRule 960011 3 16  # 
# ... here add your own annoying rule-ids from the log-files ...
# ...

# If the rule contains: ,block, 
#   change it to: ,block,nolog,    (this is true for most rules)
# If the rule contains: ,log, 
#   change it to ,nolog,           (a few rules)
# BUT BEWARE -- there are a few rules in the modsecurity_* scripts that contains neither -- this won't work for those.

cat z_logging_suppress.TMP            | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress.TMP2
cat z_logging_suppress_multiline.TMP  | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress_multiline.TMP2

cat z_logging_suppress.TMP2           | sed '1,$s/,id:'"'"'/,id:'"'"'9/'  | sed '1,$s/"id:'"'"'/"id:'"'"'9/'  | sed '1,$s/ id:'"'"'/ id:'"'"'9/' >  z_logging_suppress.conf
cat z_logging_suppress_multiline.TMP2 | sed '1,$s/,id:'"'"'/,id:'"'"'9/'  | sed '1,$s/"id:'"'"'/"id:'"'"'9/'  | sed '1,$s/ id:'"'"'/ id:'"'"'9/' >  z_logging_suppress_multiline.conf

echo SANITY CHECK -- The following counts should give identical numbers:
grep -c '^SecRule ' z_logging_suppress.conf
grep -c ',nolog,' z_logging_suppress.conf
if [ "$(grep -c '^SecRule ' z_logging_suppress.conf)" != "$(grep -c ',nolog,' z_logging_suppress.conf)" ]; then
  echo '   *** WARNING -- Sanity check FAILED ***'
fi

echo SANITY CHECK -- The following counts should give identical numbers:
grep -c '^SecRule ' z_logging_suppress_multiline.conf
grep -c ',nolog,' z_logging_suppress_multiline.conf
if [ "$(grep -c '^SecRule ' z_logging_suppress_multiline.conf)" != "$(grep -c ',nolog,' z_logging_suppress_multiline.conf)" ]; then
  echo '   *** WARNING -- Sanity check FAILED ***'
fi

# You may comment-out the following line while debugging/maintaining this script,
# so you can diff what the final sed-commands do.
# Activate it when you are done, to remove the *.TMP* files:
# rm *.TMP *.TMP2