Re: [Mod-security-developers] Finding triggered RuleIds
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Finding triggered RuleIds
|
From: Jai H. <jai...@mu...> - 2019-03-21 20:38:44
|
Ervin, The log callback function approach is what we used with ModSec 3.0.2 and it worked well. Unfortunately, that approach no longer works for ModSec 3.0.3 because not all rule triggers invoke the log callback. Reason for this was provided by Felipe: Sometimes logging is a consequence of a disruptive action; sometimes the > logging is just a warning. On 3.0.2 the logging for disruptive (aka error > on 2.x) was being generated as a warning as well. To avoid creating the > same message twice, we have changed 3.0.3 to produce only warnings, and > give access to error message along with the disruptive structure. So, I'm trying to determine the recommended approach for acquiring the triggered ruleId(s) in ModSec 3.0.3. Thanks, Jai On Thu, Mar 21, 2019 at 10:29 AM Ervin Hegedüs <ai...@gm...> wrote: > Hi Jai, > > once upon I've discussed about this with @zimmerle, and he helped me with > this links: > > > https://github.com/SpiderLabs/ModSecurity/blob/1ecd9713061c3534626bf6a5f59d1c928c0c52bb/examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h#L141-L142 > > https://github.com/SpiderLabs/ModSecurity/blob/f77db2cc2eff4808ad59118f1a11baea8f849b04/headers/modsecurity/modsecurity.h#L242-L267 > > https://github.com/SpiderLabs/ModSecurity/blob/ad28de4f14e47d3c6b479a1d043f2bd0b7a17706/headers/modsecurity/rule_message.h > > You can set up a log callbck function, which will got a structure, and you > don't need to parse the logfile. > > Try this and let me know what you got. > > > a. > > > On Thu, Mar 21, 2019 at 3:29 PM Jai Harpalani via mod-security-developers < > mod...@li...> wrote: > >> We are integrating ModSecurity into our product as a library, and using >> it to evaluate owasp crs rules. >> >> For anyone else doing this, can you explain how your calling code is >> determining which ruleId(s) were triggered as a result of >> calling processRequestHeaders(), processRequestBody(), >> processResponseHeaders(), processResponseBody()? >> >> Curious how this is being done in ModSec 3.0.2 and if it is done >> differently with version 3.0.3. >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |
