Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: Christian F. <chr...@ne...> - 2022-03-25 10:34:13
|
Thanks for the updates. I do not immediately see why it's not working
completely. But glad you have a working solution.
Best,
Christian
On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote:
> Dear Christian,
>
> I added setvar:tx.rule=1 in each rule and then added the following rule,
> post which I am able to get 1 written in access logs ( via the %{waf} ) for
> the transactions which got blocked by Modsec. for other transactions it is
> missing and hence getting - in the logs. I was not able to directly set the
> WAF=1 in the rules via setenv:waf=1
>
> SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'"
>
> Will test this any update incase I face any challenge.
>
> Thanks,
> Homesh
>
>
> On Thu, Mar 24, 2022 at 6:35 PM Christian Folini <
> chr...@ne...> wrote:
>
> > I suggest you add this to every rule that detects / blocks something.
> > Thus not a SecAction, but attach the setenv to your existing SecRules
> > where you want to see the flag.
> >
> > Alternatively, you can do a SecRule in phase 5 where you test the
> > HTTP status and if it's 403, then you set the env.
> >
> > Good luck!
> >
> > Christian
> >
> > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote:
> > > Dear Christian,
> > >
> > > Thanks. I think this will work for me. However, can you please explain
> > it a
> > > bit more on how this works.
> > > from your tutorial if i set up following rule
> > >
> > > # === ModSec performance calculations and variable export (ids: 90100 -
> > 90199)
> > >
> > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1"
> > >
> > > then for every access I see "1" in the access log.
> > >
> > > I think I will need to understand it more in order to use it.
> > >
> > > Kindly explain
> > > 1) the configuration required for setenv by modifying each rule
> > >
> > > 2) the configuration required for more complicated scheme which you
> > > are referring to
> > >
> > > Thanks,
> > >
> > > Homesh
> > >
> > >
> > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini <
> > > chr...@ne...> wrote:
> > >
> > > > Hi there,
> > > >
> > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote:
> > > > > Thanks for the clarification.
> > > > > I have already gone through excellent netnea.com tutorials. I have
> > > > already
> > > > > used some of the configuration from tutorial.I do not use crs.
> > > >
> > > > Thank you very much.
> > > >
> > > > > My objective here is that I want to get a flag in access log line if
> > > > modsec
> > > > > has taken any action on the transaction say simply it can be a field
> > like
> > > > > modsec=1 or modsec=0. This wi help me in separating transactions
> > which
> > > > are
> > > > > allowed.(modsec=0) So then it is easy to show these transactions in
> > the
> > > > > reporting system.
> > > >
> > > > I'd do a setenv then in the rules.
> > > >
> > > > ... "setenv:modsec=1"
> > > >
> > > > Similar to the way I set th various env variables in phase 5. You can
> > > > simply
> > > > add this to every rule you have. Or you set up a more complicated
> > scheme
> > > > and do it in the end in phase 5.
> > > >
> > > > Best,
> > > >
> > > > Christian
> > > >
> > > > >
> > > > > Kindly suggest.
> > > > >
> > > > > Thanks,
> > > > > Homesh
> > > > >
> > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, <
> > > > > chr...@ne...> wrote:
> > > > >
> > > > > > HelloHomesh,
> > > > > >
> > > > > > Unfortunately, this is not how this works.
> > > > > >
> > > > > > A ModSecuriy variable is not automatically an environment variable.
> > > > > > And on top, the ModSec variable "rule" is only available during the
> > > > > > execution of the very rule (and there might be many, many rules).
> > > > > >
> > > > > > I suggest you read up on my free tutorials published at netnea.com
> > .
> > > > > > The one on logging and the ones on the Core Rule Set are proposing
> > > > > > ways to achieve something along these lines.
> > > > > >
> > > > > > Best,
> > > > > >
> > > > > > Christian
> > > > > >
> > > > > >
> > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote:
> > > > > > > Hi All,
> > > > > > >
> > > > > > > Hope you all are well.
> > > > > > >
> > > > > > > I want to add the modsecurity variable e.g "rule.id"in the
> > apache
> > > > access
> > > > > > > log via the extended format.
> > > > > > > I set the following line in /etc/apache2/apache.conf
> > > > > > >
> > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
> > > > \"%{User-Agent}i\"
> > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended
> > > > > > >
> > > > > > > However I am not getting the rule.id value in the access log
> > line.
> > > > > > >
> > > > > > > Kindly suggest.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Homesh
> > > > > >
> > > > > >
> > > > > > > _______________________________________________
> > > > > > > mod-security-users mailing list
> > > > > > > mod...@li...
> > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > > > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > > > http://www.modsecurity.org/projects/commercial/support/
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > mod-security-users mailing list
> > > > > > mod...@li...
> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > > http://www.modsecurity.org/projects/commercial/support/
> > > > > >
> > > >
> > > >
> > > > > _______________________________________________
> > > > > mod-security-users mailing list
> > > > > mod...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > http://www.modsecurity.org/projects/commercial/support/
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > > >
> >
> >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
