Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: homesh j. <ho...@gm...> - 2022-03-24 11:32:41
|
Dear Christian, Thanks. I think this will work for me. However, can you please explain it a bit more on how this works. from your tutorial if i set up following rule # === ModSec performance calculations and variable export (ids: 90100 - 90199) SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" then for every access I see "1" in the access log. I think I will need to understand it more in order to use it. Kindly explain 1) the configuration required for setenv by modifying each rule 2) the configuration required for more complicated scheme which you are referring to Thanks, Homesh On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < chr...@ne...> wrote: > Hi there, > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > Thanks for the clarification. > > I have already gone through excellent netnea.com tutorials. I have > already > > used some of the configuration from tutorial.I do not use crs. > > Thank you very much. > > > My objective here is that I want to get a flag in access log line if > modsec > > has taken any action on the transaction say simply it can be a field like > > modsec=1 or modsec=0. This wi help me in separating transactions which > are > > allowed.(modsec=0) So then it is easy to show these transactions in the > > reporting system. > > I'd do a setenv then in the rules. > > ... "setenv:modsec=1" > > Similar to the way I set th various env variables in phase 5. You can > simply > add this to every rule you have. Or you set up a more complicated scheme > and do it in the end in phase 5. > > Best, > > Christian > > > > > Kindly suggest. > > > > Thanks, > > Homesh > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > chr...@ne...> wrote: > > > > > HelloHomesh, > > > > > > Unfortunately, this is not how this works. > > > > > > A ModSecuriy variable is not automatically an environment variable. > > > And on top, the ModSec variable "rule" is only available during the > > > execution of the very rule (and there might be many, many rules). > > > > > > I suggest you read up on my free tutorials published at netnea.com. > > > The one on logging and the ones on the Core Rule Set are proposing > > > ways to achieve something along these lines. > > > > > > Best, > > > > > > Christian > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > Hi All, > > > > > > > > Hope you all are well. > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the apache > access > > > > log via the extended format. > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > \"%{User-Agent}i\" > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > However I am not getting the rule.id value in the access log line. > > > > > > > > Kindly suggest. > > > > > > > > Thanks, > > > > Homesh > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
