Re: [mod-security-users] Question / Feature Request Log Comment

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ulf Stegemann wrote:
> Apache 1.3.29, mod_security 1.7.3
> 
> When using chain-ed filter rules it seems that mod_security prints only the
> pattern from the last filter rule of the chain in mod_security-message (with
> "SecAuditEngine RelevantOnly" that is).

   Yes. When a set of rules is chained, only the last rule is treated
   as an "action" rule. Perhaps I can relax that a bit to allow rule
   supplied actions to be executed but not the default action. So you
   would still be able to do something, but the rule execution would
   continue.

> Since I do a statistical analysis of
> the audit log where among other things I count the different match patterns of
> blocked requests, this is rather bad ... especially if you have a lot of
> chain-ed rules, some with identical last rules.
> 
> So my question is: what's the best way to circumvent such a behaviour? I
> thought of adding a dummy last rule that always matches and contains
> something like a comment in the pattern but that's rather ugly. Is there any
> way to add a kind of "log comment" to mod_security-message?
> 
> Of course, adding a comment to filter rules that will be printed to the log
> file might come in handy, anyway. Think of references and the like.

   I will introduce new features in that area in 1.9. I haven't decided
   yet, but I was thinking of adding several new actions to define a
   unique attack id (so you can have several rules/matches for the same
   thing), a message action (to log custom messages), a severity
   action, etc.

   I believe this would solve your problem, would it?
   (BTW, 1.9 will be out by the end of the year)

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]