Thread: [mod-security-users] filtering with no log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: David De M. <bio...@ya...> - 2006-02-16 10:36:35
|
Hi all, I have installed mod_security on one of our corporate servers (mod_security: 1.9.2, apache: 2.0.55, OS: FreeBSD 6, PHP: 5.1.2) and it works fine. I first installed mod_security for its ability to log POST requests. This works fine for me. I was wondering if I could use it for filtering and rejecting all the requests which are not identified/addressed by/to a specific web application; logging only the successful requests into access.log. Say a client sends a POST request containing a variable "origin" to a PHP script called "test.php" served by the server on which mod_security is installed and configured. What I would like to do is to only log in the Apache access.log the requests containing "origin" in the POST request AND calling "test.php" by properly configuring mod_security. I looked at the SecFilter, SecFilterSelective and SecFilterDefaultAction and did a few tests... e.g. I tried: SecFilterSelective QUERY_STRING !"test\.php?origin=" "nolog" But this didn't do the job. Not to say that everything got logged into access.log... Any help would be appreciated! ;-) Best regards, David ___________________________________________________________________________ Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez sur http://fr.messenger.yahoo.com |
|
From: Carles B. <cbo...@is...> - 2006-02-16 11:28:14
|
En/na David De Maeyer ha escrit: >What I would like to do is to only log in the Apache >access.log the requests containing "origin" in the >POST request AND calling "test.php" by properly >configuring mod_security. > >I looked at the SecFilter, SecFilterSelective and >SecFilterDefaultAction and did a few tests... e.g. I >tried: > >SecFilterSelective QUERY_STRING !"test\.php?origin=3D" >"nolog" > >But this didn't do the job. Not to say that everything >got logged into access.log... > >Any help would be appreciated! ;-) > >Best regards, >David > =20 > AFAIK mod_sedcurity has nothing to do with apache access file, whenever=20 you configure mod_security to log requests, its messages go to the file=20 it's set with ErrorLog directive. From modsec documentation=20 http://www.modsecurity.org/documentation/modsecurity-apache/stable/05-act= ions.html Action log ->Log filter match to the Apache error log. BTW, based upon my little knowledge of regular expressions, I guess that=20 your filter SecFilterSelective QUERY_STRING !"test\.php?origin=3D" "nolog" should be enough to remove other requests than the ones you're interested= in, from appearing in the ErrorLog file. bye. --=20 _________________________________ Carles Bonamusa P=E9rez Ingeniero de Software Dpto. Desarrollo de Soluciones cbo...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |
|
From: Ivan R. <iv...@we...> - 2006-02-16 13:07:44
|
David De Maeyer wrote:
> Hi all,
>
> I have installed mod_security on one of our corporate
> servers (mod_security: 1.9.2, apache: 2.0.55, OS:
> FreeBSD 6, PHP: 5.1.2) and it works fine.
>
> I first installed mod_security for its ability to log
> POST requests. This works fine for me.
>
> I was wondering if I could use it for filtering and
> rejecting all the requests which are not
> identified/addressed by/to a specific web application;
> logging only the successful requests into access.log.
>
> Say a client sends a POST request containing a
> variable "origin" to a PHP script called "test.php"
> served by the server on which mod_security is
> installed and configured.
How about this:
# deny everything quietly
SecFilterSelective REMOTE_ADDR !^$ deny,status:404,nolog
# apply special rules to /test.php only
<Location /test.php>
# start with no rules
SecFilterInheritance Off
# you did say "POST" only, right?
SecFilterSelective REQUEST_METHOD "^POST$" chain
# variable "origin" not empty
SecFilterSelective ARG_origin !^$ allow,nolog,setenv:valid_request
# deny everything else quietly
SecFilterSelective REMOTE_ADDR !^$ deny,status:404,nolog
</Location>
# Custom Apache log that logs only accepted requests
CustomLog logs/custom_access_log \
"%h %l %u %t \"%r\" %>s %b" \
env=valid_request
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
|
|
From: David De M. <bio...@ya...> - 2006-02-16 16:23:01
|
Hi Ivan, Well as far I can see it is pretty much what I need. I will do some tests. And well, I'll be reading the doc carefully again ;-) Thanks a lot! Best regards, David --- Ivan Ristic <iv...@we...> a écrit : > David De Maeyer wrote: > > Hi all, > > > > I have installed mod_security on one of our > corporate > > servers (mod_security: 1.9.2, apache: 2.0.55, OS: > > FreeBSD 6, PHP: 5.1.2) and it works fine. > > > > I first installed mod_security for its ability to > log > > POST requests. This works fine for me. > > > > I was wondering if I could use it for filtering > and > > rejecting all the requests which are not > > identified/addressed by/to a specific web > application; > > logging only the successful requests into > access.log. > > > > Say a client sends a POST request containing a > > variable "origin" to a PHP script called > "test.php" > > served by the server on which mod_security is > > installed and configured. > > How about this: > > # deny everything quietly > SecFilterSelective REMOTE_ADDR !^$ > deny,status:404,nolog > > # apply special rules to /test.php only > <Location /test.php> > # start with no rules > SecFilterInheritance Off > > # you did say "POST" only, right? > SecFilterSelective REQUEST_METHOD "^POST$" > chain > # variable "origin" not empty > SecFilterSelective ARG_origin !^$ > allow,nolog,setenv:valid_request > > # deny everything else quietly > SecFilterSelective REMOTE_ADDR !^$ > deny,status:404,nolog > </Location> > > # Custom Apache log that logs only accepted > requests > CustomLog logs/custom_access_log \ > "%h %l %u %t \"%r\" %>s %b" \ > env=valid_request > > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > ___________________________________________________________________________ Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez sur http://fr.messenger.yahoo.com |
Thanks for helping keep SourceForge clean.
X