Re: [mod-security-users] Reporting on block
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <rcb...@gm...> - 2006-10-10 13:22:08
|
I agree with Ivan in that centralizing these logs and then having the ModSecurity Console take action is the way to go, especially if you have a number if sensors (hosts that are running ModSecurity). What I have done with the CGI scripts, to address the exact issues that Ivan points out was - 1) I implemented mod_perl so that their would be lesser of an impact of executing these scripts as mod_perl initiates one perl instance that will service all of the CGI scripts, and 2) The CGI script implements some thresholding on the email function. The threshold is 10 emails from one IP address. Once a client exceeds 10 alerts, it will not email any longer. The 10 alert emails are just an indication that someone is doing something and I should look into this closer. Without the thresholding, if someone runs a Nikto scan against my site, I would get email bombed... Once again, while this implementation does work, it is distributed in nature and rather difficult to maintain. Now, with the ModSecurity Console, I will have a tool to centralize, analyze and alert on all of these alerts :) Hope this helps. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 10/10/06, Ivan Ristic <iva...@gm...> wrote: > > On 10/9/06, Ariel Jolodovsky <ar...@po...> wrote: > > Hi everyone. > > > > Is there any way of making mod_security send me a mail whenever the > filter > > blocks something ?. In the aproverscript I can do it calling the mail > > command, but it would be useful to have this on the filter. > > Ryan already mentioned one way this can be achived. The other is to > use the "exec" action. > > However, I'd like to point out that sending emails on every block is > not a particularly good idea. The next time someone points a web > vulnerability scanner at your web site you will get several thousand > emails in the mailbox. Another issue is the additional performance > penalty because you will be invoking a CGI script on every block. > > My idea of a solution is to have the alerts sent to ModSecurity > Console, where they will be processed. The console can then be > configured to periodically send email reports. > > -- > Ivan Ristic > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |