Problem with message on EventLog
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Hello,
I'm using Mod Security 2.9.3 with IIS 10.
It works well but I can’t distinguish the impacted site in the message generated in the EventLog.
Here an example:
[client x.x.x.x] ModSecurity: Warning. detected XSS using libinjection. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: <script>alert(\x22Hello! I am an alert box!\x22);</script> found within ARGS:faille: <script>alert(\x22Hello! I am an alert box!\x22);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18158513699705323522"]
The url is http://test-xss.localdomain
I would rather see [hostname "test-xss.localdomain "] instead of [hostname "TEST-WEB"], where TEST-WEB is the name of the server hosting multiple sites.
I can't find how to customize the EventLog message.
Thanks
This can be done!
You'd want to capture the value of REQUEST_HEADERS:Host and add it to one
of the output areas
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#request_headers.
I'd recommend something like "logdata:%{MY_HOST_HEADER}" (
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#logdata
).
Now the real key here is that since you're using CRS, you'll want to change
the action of all those rules to include this logdata. The recommended
approach is to use SecRuleUpdateActionByID (
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleUpdateActionById).
However, i'm partial to using SecDefaultAction. Note: if you go this latter
approach you'll get a deprecation warning. In reality, this is only as
deprecated as SecDefaultAction(see
https://github.com/SpiderLabs/ModSecurity/issues/311)
So you're final work would look something like this:
SecAction "nolog,id:1,setvar:tx.host=%{request_headers.host}"
SecDefaultAction "phase:2,logdata:%{tx.host},log,auditlog,pass"
SecRule ARGS "@contains test" "id:100,msg:'hello world',deny,status:403"
Also Note: it should be possible to simplify this to just
logdata:%{request_headers.host} but this didn't work in my quick testing.
Final Note: the SecDefaultActions are setup in crs-setup.conf if you're
using a modern version of CRS :). Happy hunting
On Sat, Apr 13, 2019 at 2:24 AM Escher Penrose penrose@users.sourceforge.net wrote:
--
Chaim Sanders
http://www.ChaimSanders.com
Thanks Chaim.
I had another answer that it was hard coded.
I also asked my question in the issues of ModSecurity.
I try your solution, I wait also for the third answer and I tell you where I'm :D
Have a nice day
Regards
Great ! It work fine
In crs-setup.conf i change
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
by
SecDefaultAction "phase:1,logdata:%{request_headers.host},log,auditlog,pass"
SecDefaultAction "phase:2,logdata:%{request_headers.host},log,auditlog,pass"
And i obtain:
[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data "test-xss.gi3f.fr"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "17798225729515683846"]
Where i get [data "test-xss.gi3f.fr"] in the log message
Another way:
SecDefaultAction "phase:1,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
SecDefaultAction "phase:2,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
And I obtain now:
[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "VirtualHost: test-xss.gi3f.fr"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18230571293743251474"]
Where [tag "VirtualHost: test-xss.gi3f.fr"] in the log message
Thanks Chaim
Glad you got it working :)
On Sun, Apr 14, 2019, 11:42 AM Escher Penrose penrose@users.sourceforge.net
wrote: