Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: Christian F. <chr...@ne...> - 2022-03-24 13:01:09
|
I suggest you add this to every rule that detects / blocks something. Thus not a SecAction, but attach the setenv to your existing SecRules where you want to see the flag. Alternatively, you can do a SecRule in phase 5 where you test the HTTP status and if it's 403, then you set the env. Good luck! Christian On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > Dear Christian, > > Thanks. I think this will work for me. However, can you please explain it a > bit more on how this works. > from your tutorial if i set up following rule > > # === ModSec performance calculations and variable export (ids: 90100 - 90199) > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > then for every access I see "1" in the access log. > > I think I will need to understand it more in order to use it. > > Kindly explain > 1) the configuration required for setenv by modifying each rule > > 2) the configuration required for more complicated scheme which you > are referring to > > Thanks, > > Homesh > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > chr...@ne...> wrote: > > > Hi there, > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > Thanks for the clarification. > > > I have already gone through excellent netnea.com tutorials. I have > > already > > > used some of the configuration from tutorial.I do not use crs. > > > > Thank you very much. > > > > > My objective here is that I want to get a flag in access log line if > > modsec > > > has taken any action on the transaction say simply it can be a field like > > > modsec=1 or modsec=0. This wi help me in separating transactions which > > are > > > allowed.(modsec=0) So then it is easy to show these transactions in the > > > reporting system. > > > > I'd do a setenv then in the rules. > > > > ... "setenv:modsec=1" > > > > Similar to the way I set th various env variables in phase 5. You can > > simply > > add this to every rule you have. Or you set up a more complicated scheme > > and do it in the end in phase 5. > > > > Best, > > > > Christian > > > > > > > > Kindly suggest. > > > > > > Thanks, > > > Homesh > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > chr...@ne...> wrote: > > > > > > > HelloHomesh, > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > A ModSecuriy variable is not automatically an environment variable. > > > > And on top, the ModSec variable "rule" is only available during the > > > > execution of the very rule (and there might be many, many rules). > > > > > > > > I suggest you read up on my free tutorials published at netnea.com. > > > > The one on logging and the ones on the Core Rule Set are proposing > > > > ways to achieve something along these lines. > > > > > > > > Best, > > > > > > > > Christian > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > > Hi All, > > > > > > > > > > Hope you all are well. > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the apache > > access > > > > > log via the extended format. > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > \"%{User-Agent}i\" > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > However I am not getting the rule.id value in the access log line. > > > > > > > > > > Kindly suggest. > > > > > > > > > > Thanks, > > > > > Homesh > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
