Re: [mod-security-users] Problem with message in EventLog
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problem with message in EventLog
|
From: Christian F. <chr...@ne...> - 2019-04-13 18:42:07
|
Hi Claude, You can not customize it. It's hard coded. Regards, Christian On Sat, Apr 13, 2019 at 09:06:37AM +0000, Claude Cocault wrote: > Hello, > > > > I'm using Mod Security 2.9.3 with IIS 10. > > It works well but I can’t distinguish the impacted site in the message generated in the EventLog. > > > > Here an example: > > [client x.x.x.x] ModSecurity: Warning. detected XSS using libinjection. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: <script>alert(\x22Hello! I am an alert box!\x22);</script> found within ARGS:faille: <script>alert(\x22Hello! I am an alert box!\x22);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18158513699705323522"] > > > > The url is http://test-xss.localdomain > > > > I would rather see [hostname "test-xss.localdomain "] instead of [hostname "TEST-WEB"], where TEST-WEB is the name of the server hosting multiple sites. > > I can't find how to customize the EventLog message. > > > > Thanks > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
