Re: [mod-security-users] Problem with message in EventLog

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Christian

Yes we can

In crs-setup.conf i change
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
by
SecDefaultAction "phase:1,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
SecDefaultAction "phase:2,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
And i obtain:
[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "VirtualHost: test-xss.gi3f.fr"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18230571293743251474"]

where i get [tag "VirtualHost: test-xss.gi3f.fr"] in the log message

Thanks

Best regards

________________________________
De : Ervin Hegedüs <ai...@gm...>
Envoyé : dimanche 14 avril 2019 12:26
À : mod...@li...
Objet : Re: [mod-security-users] Problem with message in EventLog

Hi Claude,

On Sun, Apr 14, 2019 at 09:01:27AM +0000, XXXXXXXXXXXXXX wrote:
> Hi Christian,
>
> Thank you for your answer.
> Maybe a future evolution ?

in V3 (aka libmodsecurity3) there is possible to log the custom
fields, but it depends the application developer - so in
simplifying at all, also needs to code :).

a.

_______________________________________________
mod-security-users mailing list
mod...@li...
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038343879&amp;sdata=W%2Ba41%2FKPUjQ8OvqaHiaONRtNpAWa0LCFwrU2zyyNdMg%3D&amp;reserved=0
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&amp;sdata=qaAIaj1dUC4WRQ53XTA6%2FdR%2BBjigXILJUk3qfi2g6gU%3D&amp;reserved=0
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&amp;sdata=TyW%2FFegJM3qjr%2B4CR%2FltiZbeA8uT44FfU2RRcuGkS6M%3D&amp;reserved=0