Re: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Use of Modsec variable in apache access log
|
From: homesh j. <ho...@gm...> - 2023-06-21 12:16:03
|
Hi Christian, Thanks for the quick reply. OK so in detectonly mode also modsecurity rule evaluation works the same. Debug is a good idea. I have UAT so I can test. Will let you know. Thanks, Homesh On Wed, Jun 21, 2023 at 3:03 PM Christian Folini < chr...@ne...> wrote: > Hey Homesh, > > Evaluation does indeed stop after a drop and there is a chance > your rules only set the variables in question in a later phase. > Really depends on your configuration. > > You can follow rule execution with the ModSecurity debug log, but beware > it is very verbose. > > Generally, it is best to set variables for display in the access log only > in phase 5, which is also executed for requests that have been denied > in an earlier phase. > > Best regards, > > Christian > > > > > On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > > Hi All, > > > > With regards to my approach for logging the modsec variables in apache > log > > has worked for me for almost a year now. > > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > > websites. What I notice is that the apache logs are missing the right > > variable data. > > e.g I tested SQL injection and i was not able to see the relevant > > information in apache log which I typically get when "SecRuleEngine On" > > sample log for "SecRuleEngine DetectionOnly" > > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > > "/?k=1%20or%201=1" > > > > here rule id log is 333762 which is not the signature for SQL injection > > > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > > first rule matches with the final action drop/block. Hence I am able to > get > > the right rule ID and other variable data. But when "SecRuleEngine > > DetectionOnly" rule evaluation continues till the last rule and due to > > which my variable data gets changed as per the rules getting evaluated. > Can > > I change this behaviour of modsecurity in Detectonly mode ? that it > should > > stop the evaluation when it matches the first rule with final action of > > drop/block ( and not block/drop the transaction) ? > > > > Please suggest. > > > > Thanks, > > Homesh > > > > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > > chr...@ne...> wrote: > > > > > Thanks for the updates. I do not immediately see why it's not working > > > completely. But glad you have a working solution. > > > > > > Best, > > > > > > Christian > > > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > > Dear Christian, > > > > > > > > I added setvar:tx.rule=1 in each rule and then added the following > rule, > > > > post which I am able to get 1 written in access logs ( via the > %{waf} ) > > > for > > > > the transactions which got blocked by Modsec. for other transactions > it > > > is > > > > missing and hence getting - in the logs. I was not able to directly > set > > > the > > > > WAF=1 in the rules via setenv:waf=1 > > > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > > > Will test this any update incase I face any challenge. > > > > > > > > Thanks, > > > > Homesh > > > > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > > chr...@ne...> wrote: > > > > > > > > > I suggest you add this to every rule that detects / blocks > something. > > > > > Thus not a SecAction, but attach the setenv to your existing > SecRules > > > > > where you want to see the flag. > > > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > > > Good luck! > > > > > > > > > > Christian > > > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > > Dear Christian, > > > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > > explain > > > > > it a > > > > > > bit more on how this works. > > > > > > from your tutorial if i set up following rule > > > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > > 90100 - > > > > > 90199) > > > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > > > Kindly explain > > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > > > 2) the configuration required for more complicated scheme which > you > > > > > > are referring to > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > Hi there, > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > > Thanks for the clarification. > > > > > > > > I have already gone through excellent netnea.com tutorials. > I > > > have > > > > > > > already > > > > > > > > used some of the configuration from tutorial.I do not use > crs. > > > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > > line if > > > > > > > modsec > > > > > > > > has taken any action on the transaction say simply it can be > a > > > field > > > > > like > > > > > > > > modsec=1 or modsec=0. This wi help me in separating > transactions > > > > > which > > > > > > > are > > > > > > > > allowed.(modsec=0) So then it is easy to show these > transactions > > > in > > > > > the > > > > > > > > reporting system. > > > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. > You > > > can > > > > > > > simply > > > > > > > add this to every rule you have. Or you set up a more > complicated > > > > > scheme > > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Homesh > > > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > > variable. > > > > > > > > > And on top, the ModSec variable "rule" is only available > > > during the > > > > > > > > > execution of the very rule (and there might be many, many > > > rules). > > > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > > netnea.com > > > > > . > > > > > > > > > The one on logging and the ones on the Core Rule Set are > > > proposing > > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi > wrote: > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in > the > > > > > apache > > > > > > > access > > > > > > > > > > log via the extended format. > > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > > \"%{User-Agent}i\" > > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the > access log > > > > > line. > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > mod-security-users mailing list > > > > > > > > > > mod...@li... > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > SpiderLabs: > > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
