Re: [Mod-security-developers] Finding triggered RuleIds
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Finding triggered RuleIds
|
From: Felipe C. <FC...@tr...> - 2019-03-22 12:49:31
|
Hi Jai, For the current public supported connectors, the rule id altogether with logging text is enough. There is no data structure except for char pointer that point towards the logging string [for the logging attached to the disruptive events]. Is my understanding that it may be useful for your application, to have an specific field that held to rule id (may other information regarding the rule as well). Having that in mind, we can change the API the make it more useful to your application. Sorry for the inconvenience. Lets discuss out-of-band the specific characteristics of your use case, so we can make the API suits you better. Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: Jai Harpalani via mod-security-developers <mod...@li...> Reply-To: "mod...@li..." <mod...@li...> Date: Thursday, March 21, 2019 at 5:38 PM To: "mod-security-d." <mod...@li...> Cc: Jai Harpalani <jai...@mu...> Subject: Re: [Mod-security-developers] Finding triggered RuleIds Ervin, The log callback function approach is what we used with ModSec 3.0.2 and it worked well. Unfortunately, that approach no longer works for ModSec 3.0.3 because not all rule triggers invoke the log callback. Reason for this was provided by Felipe: Sometimes logging is a consequence of a disruptive action; sometimes the logging is just a warning. On 3.0.2 the logging for disruptive (aka error on 2.x) was being generated as a warning as well. To avoid creating the same message twice, we have changed 3.0.3 to produce only warnings, and give access to error message along with the disruptive structure. So, I'm trying to determine the recommended approach for acquiring the triggered ruleId(s) in ModSec 3.0.3. Thanks, Jai On Thu, Mar 21, 2019 at 10:29 AM Ervin Hegedüs <ai...@gm...<mailto:ai...@gm...>> wrote: Hi Jai, once upon I've discussed about this with @zimmerle, and he helped me with this links: https://github.com/SpiderLabs/ModSecurity/blob/1ecd9713061c3534626bf6a5f59d1c928c0c52bb/examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h#L141-L142<https://scanmail.trustwave.com/?c=4062&d=4PaT3Ib8KCgqsgIHe59jxLZMn7cvRuyxwHopdLzlMA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2f1ecd9713061c3534626bf6a5f59d1c928c0c52bb%2fexamples%2freading%5flogs%5fvia%5frule%5fmessage%2freading%5flogs%5fvia%5frule%5fmessage%2eh%23L141-L142> https://github.com/SpiderLabs/ModSecurity/blob/f77db2cc2eff4808ad59118f1a11baea8f849b04/headers/modsecurity/modsecurity.h#L242-L267<https://scanmail.trustwave.com/?c=4062&d=4PaT3Ib8KCgqsgIHe59jxLZMn7cvRuyxwCooce-yMw&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2ff77db2cc2eff4808ad59118f1a11baea8f849b04%2fheaders%2fmodsecurity%2fmodsecurity%2eh%23L242-L267> https://github.com/SpiderLabs/ModSecurity/blob/ad28de4f14e47d3c6b479a1d043f2bd0b7a17706/headers/modsecurity/rule_message.h<https://scanmail.trustwave.com/?c=4062&d=4PaT3Ib8KCgqsgIHe59jxLZMn7cvRuyxwHgrde_mMw&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2fad28de4f14e47d3c6b479a1d043f2bd0b7a17706%2fheaders%2fmodsecurity%2frule%5fmessage%2eh> You can set up a log callbck function, which will got a structure, and you don't need to parse the logfile. Try this and let me know what you got. a. On Thu, Mar 21, 2019 at 3:29 PM Jai Harpalani via mod-security-developers <mod...@li...<mailto:mod...@li...>> wrote: We are integrating ModSecurity into our product as a library, and using it to evaluate owasp crs rules. For anyone else doing this, can you explain how your calling code is determining which ruleId(s) were triggered as a result of calling processRequestHeaders(), processRequestBody(), processResponseHeaders(), processResponseBody()? Curious how this is being done in ModSec 3.0.2 and if it is done differently with version 3.0.3. _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers<https://scanmail.trustwave.com/?c=4062&d=4PaT3Ib8KCgqsgIHe59jxLZMn7cvRuyxwH4tKOzmYQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers<https://scanmail.trustwave.com/?c=4062&d=4PaT3Ib8KCgqsgIHe59jxLZMn7cvRuyxwH4tKOzmYQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
