Re: [mod-security-users] Problem with message in EventLog

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Claude,

Good one. If you are satisfied with the info as a tag, then this is a nice
solution. I thought you _needed_ it in the "hostname" field.

Cheers,

Christian

On Sun, Apr 14, 2019 at 06:44:43PM +0000, Claude Cocault wrote:
> Hi Christian
> 
> Yes we can
> 
> In crs-setup.conf i change
> SecDefaultAction "phase:1,log,auditlog,pass"
> SecDefaultAction "phase:2,log,auditlog,pass"
> by
> SecDefaultAction "phase:1,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
> SecDefaultAction "phase:2,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
> And i obtain:
> [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "VirtualHost: test-xss.gi3f.fr"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18230571293743251474"]
> 
> where i get [tag "VirtualHost: test-xss.gi3f.fr"] in the log message
> 
> Thanks
> 
> Best regards
> 
> ________________________________
> De : Ervin Hegedüs <ai...@gm...>
> Envoyé : dimanche 14 avril 2019 12:26
> À : mod...@li...
> Objet : Re: [mod-security-users] Problem with message in EventLog
> 
> Hi Claude,
> 
> On Sun, Apr 14, 2019 at 09:01:27AM +0000, Claude Cocault wrote:
> > Hi Christian,
> >
> > Thank you for your answer.
> > Maybe a future evolution ?
> 
> in V3 (aka libmodsecurity3) there is possible to log the custom
> fields, but it depends the application developer - so in
> simplifying at all, also needs to code :).
> 
> 
> 
> a.
> 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038343879&amp;sdata=W%2Ba41%2FKPUjQ8OvqaHiaONRtNpAWa0LCFwrU2zyyNdMg%3D&amp;reserved=0
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&amp;sdata=qaAIaj1dUC4WRQ53XTA6%2FdR%2BBjigXILJUk3qfi2g6gU%3D&amp;reserved=0
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&amp;data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&amp;sdata=TyW%2FFegJM3qjr%2B4CR%2FltiZbeA8uT44FfU2RRcuGkS6M%3D&amp;reserved=0

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/