[Mod-security-rules] Variable intercepted rule.id
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-rules] Variable intercepted rule.id
|
From: Yago PB <yag...@gm...> - 2020-10-30 22:11:47
|
Hello, We have many custom rules in our servers, mostly nolog. since we use apache error_log to block IPs. Also we add to a DDBB some rules using auditlog with nolog,auditlog. So, if we want to check if a quequest was intercepted by a nolog rule we only can do this with SecDebuLogLevel 9 using ctl: and REQUEST_URI domain.com But we would like to have a customlog with modsec logs to avoid using debug log. But it seems there isn't any variable to capture the last rule.id, we have %{matched_var} and %{matched_var_name} but not something like %{matched_rule_id}. I tried with: SecDefaultAction "deny,nolog,phase:1,setvar:tx.varname=%{RULE.id},status:406' LogFormat ".... LASTRULE:%{TX.VARNAME}M" modsec But even if it works, setvar is executed in every chain and maybe it is not the best way to accomplish this. I know I can use setvar:tx.varname=%{RULE.id} in the last chain rule to avoid it, but we update rules every week from multiple sources.. So... - There is any variable like %{matched_rule_id} ? - Using setvar:tx.varname=%{RULE.id} in SecDefaultAction will negatively impact performance ? - Any other way to accomplish what I'm trying to do ? Kind Regards. |
