Re: [mod-security-users] tying log entries to rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] tying log entries to rules
|
From: Ivan R. <iv...@we...> - 2005-04-21 08:59:28
|
caleb racey wrote: > Hello > > > Kudos on an excellent module and kudos to ivan on the excellent o'reilly > apache security book. Thanks! > When monitoring the server logs I have two questions: > > 1) are there any tools for monitoring the audit logs, since the output > per hit is multi line the normal approach of "grep"ing is not effective. > For example my logs are overwhelmingly phpBB exploit attempts (a bot is > doing the rounds) the noise from this in the logs is making it very > difficult to track down other "hits" Not at the moment. In May work will begin on a web-based console to track the audit entries. Since for that I need to build a (Perl) parser I am likely to make it usable from the command line too. BTW, you don't have to grep access_logs either. Have a look at the logscan utility: http://www.apachesecurity.net/tools > 2) is there any way to tie down a "hit" to the rule that caught it? Once > I have identified false positives it is difficult to track down the rule > causing it, It would be useful if the log would give some form of rule > identifier for which rule caused the match There is, since yesterday, if you are not afraid to deploy 1.9dev2. I've just added three more actions: id, msg, severity. They are just plain text fields that will appear in the error message created by a rule. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
