stackoom
  简体   繁体   中英

How to configuration Modsecurity logs?

 原文  2022-01-24 14:16:43       apache/ mod-security/ mod-security2

Question

I think it's too much detail. I installed it on windows 7 and using apache server.

https://i.stack.imgur.com/F55Yp.jpg

https://i.stack.imgur.com/V09JL.jpg

https://i.stack.imgur.com/Lg7pd.jpg

https://i.stack.imgur.com/YHjKH.jpg

https://i.stack.imgur.com/rF9dw.jpg

1 answers

solution1
 0  2022-01-25 16:07:18

CRS developer here. It's true that the logs by default contain a lot of information. Maybe you can be helped by using JSON as a log format. You can do this by adding:

SecAuditLogFormat JSON

to your mod_security.conf file. (Note: I have no Windows experience so I don't know the exact name and location of the config file).

Then, the log will contain one JSON object per line for every logged event. You can use the jq utility to pretty-print the JSON or to select only the interesting parts.

For instance, if you want to see only the matched rule messages, you can use jq like this:

curl 'https://sandbox.coreruleset.org/?test=posix_uname(123)' | jq .audit_data.messages

[
  "Warning. Matched phrase \"posix_uname\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf\"] [line \"294\"] [id \"933150\"] [msg \"PHP Injection Attack: High-Risk PHP Function Name Found\"] [data \"Matched Data: posix_uname found within ARGS:test: posix_uname(123)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-php\"] [tag \"platform-multi\"] [tag \"attack-injection-php\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/242\"]",
  "Warning. Operator GE matched 5 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"93\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"]",
  "Unconditional match in SecAction. [file \"/etc/modsecurity.d/crs-demo-setvar.conf\"] [line \"11\"] [id \"100000\"] [tag \"modsecurity\"]",
  "Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"91\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"event-correlation\"]"
]

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to compile modsecurity on Ubuntu? Modsecurity & Apache: How to limit access rate by header? Could not set variable “USER.user_false_counter” as the collection does not exist in ModSecurity logs Apache (Windows OS) ModSecurity rules - How to block most countries bar choosen few How do I skip certains rules for parameter in a path in ModSecurity? How can I modify a pattern in Modsecurity Core Rule Set How to use 'TIME' in modsecurity SecRule to match exact time? “ModSecurity Access Denied” in logs. I don't understand what its telling me.. Should I be concerned? error logs: client denied by server configuration How to include same modsecurity rules in multiple virtual hosts without changing the id for each rule and each host?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM