Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: homesh j. <ho...@gm...> - 2022-03-24 05:11:40
|
Hi Azurit, Thank you for your reply. In that case I will have to ensure all the rules which are currently using either 403 or 501 need to be changed to something say 408. Instead I just need to set the flag in the access log which I can use in the reporting to sort the allowed transactions. Ideally if there is any variable for modsec final action say blocked or allowed then nothing like it. Thanks, Homesh On Thu, Mar 24, 2022 at 9:53 AM <az...@po...> wrote: > Hi Homesh, > > if all you need is to distinguish between blocked/passed requests then > what about using different HTTP code used by modsecurity for blocking? > There are lot's of HTTP codes which can fit. You can set it using > SecDefaultAction. > > azurit > > > > > Citát homesh joshi <ho...@gm...>: > > > Dear Christian, > > > > Thanks for the clarification. > > I have already gone through excellent netnea.com tutorials. I have > already > > used some of the configuration from tutorial.I do not use crs. > > My objective here is that I want to get a flag in access log line if > modsec > > has taken any action on the transaction say simply it can be a field like > > modsec=1 or modsec=0. This wi help me in separating transactions which > are > > allowed.(modsec=0) So then it is easy to show these transactions in the > > reporting system. > > > > Kindly suggest. > > > > Thanks, > > Homesh > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > chr...@ne...> wrote: > > > >> HelloHomesh, > >> > >> Unfortunately, this is not how this works. > >> > >> A ModSecuriy variable is not automatically an environment variable. > >> And on top, the ModSec variable "rule" is only available during the > >> execution of the very rule (and there might be many, many rules). > >> > >> I suggest you read up on my free tutorials published at netnea.com. > >> The one on logging and the ones on the Core Rule Set are proposing > >> ways to achieve something along these lines. > >> > >> Best, > >> > >> Christian > >> > >> > >> On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > >> > Hi All, > >> > > >> > Hope you all are well. > >> > > >> > I want to add the modsecurity variable e.g "rule.id"in the apache > access > >> > log via the extended format. > >> > I set the following line in /etc/apache2/apache.conf > >> > > >> > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > \"%{User-Agent}i\" > >> > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > >> > > >> > However I am not getting the rule.id value in the access log line. > >> > > >> > Kindly suggest. > >> > > >> > Thanks, > >> > Homesh > >> > >> > >> > _______________________________________________ > >> > mod-security-users mailing list > >> > mod...@li... > >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> > http://www.modsecurity.org/projects/commercial/rules/ > >> > http://www.modsecurity.org/projects/commercial/support/ > >> > >> > >> > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > >> > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
