Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: Christian F. <chr...@ne...> - 2023-06-21 09:29:41
|
Hey Homesh, Evaluation does indeed stop after a drop and there is a chance your rules only set the variables in question in a later phase. Really depends on your configuration. You can follow rule execution with the ModSecurity debug log, but beware it is very verbose. Generally, it is best to set variables for display in the access log only in phase 5, which is also executed for requests that have been denied in an earlier phase. Best regards, Christian On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > Hi All, > > With regards to my approach for logging the modsec variables in apache log > has worked for me for almost a year now. > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > websites. What I notice is that the apache logs are missing the right > variable data. > e.g I tested SQL injection and i was not able to see the relevant > information in apache log which I typically get when "SecRuleEngine On" > sample log for "SecRuleEngine DetectionOnly" > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > "/?k=1%20or%201=1" > > here rule id log is 333762 which is not the signature for SQL injection > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > first rule matches with the final action drop/block. Hence I am able to get > the right rule ID and other variable data. But when "SecRuleEngine > DetectionOnly" rule evaluation continues till the last rule and due to > which my variable data gets changed as per the rules getting evaluated. Can > I change this behaviour of modsecurity in Detectonly mode ? that it should > stop the evaluation when it matches the first rule with final action of > drop/block ( and not block/drop the transaction) ? > > Please suggest. > > Thanks, > Homesh > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > chr...@ne...> wrote: > > > Thanks for the updates. I do not immediately see why it's not working > > completely. But glad you have a working solution. > > > > Best, > > > > Christian > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > Dear Christian, > > > > > > I added setvar:tx.rule=1 in each rule and then added the following rule, > > > post which I am able to get 1 written in access logs ( via the %{waf} ) > > for > > > the transactions which got blocked by Modsec. for other transactions it > > is > > > missing and hence getting - in the logs. I was not able to directly set > > the > > > WAF=1 in the rules via setenv:waf=1 > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > Will test this any update incase I face any challenge. > > > > > > Thanks, > > > Homesh > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > chr...@ne...> wrote: > > > > > > > I suggest you add this to every rule that detects / blocks something. > > > > Thus not a SecAction, but attach the setenv to your existing SecRules > > > > where you want to see the flag. > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > Good luck! > > > > > > > > Christian > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > Dear Christian, > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > explain > > > > it a > > > > > bit more on how this works. > > > > > from your tutorial if i set up following rule > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > 90100 - > > > > 90199) > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > Kindly explain > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > 2) the configuration required for more complicated scheme which you > > > > > are referring to > > > > > > > > > > Thanks, > > > > > > > > > > Homesh > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > chr...@ne...> wrote: > > > > > > > > > > > Hi there, > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > Thanks for the clarification. > > > > > > > I have already gone through excellent netnea.com tutorials. I > > have > > > > > > already > > > > > > > used some of the configuration from tutorial.I do not use crs. > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > line if > > > > > > modsec > > > > > > > has taken any action on the transaction say simply it can be a > > field > > > > like > > > > > > > modsec=1 or modsec=0. This wi help me in separating transactions > > > > which > > > > > > are > > > > > > > allowed.(modsec=0) So then it is easy to show these transactions > > in > > > > the > > > > > > > reporting system. > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. You > > can > > > > > > simply > > > > > > add this to every rule you have. Or you set up a more complicated > > > > scheme > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > Best, > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > Thanks, > > > > > > > Homesh > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > variable. > > > > > > > > And on top, the ModSec variable "rule" is only available > > during the > > > > > > > > execution of the very rule (and there might be many, many > > rules). > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > netnea.com > > > > . > > > > > > > > The one on logging and the ones on the Core Rule Set are > > proposing > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the > > > > apache > > > > > > access > > > > > > > > > log via the extended format. > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > \"%{User-Agent}i\" > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the access log > > > > line. > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
