Thread: [mod-security-users] Problem with message in EventLog
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - 2019-04-13 09:06:47
|
Hello, I'm using Mod Security 2.9.3 with IIS 10. It works well but I can’t distinguish the impacted site in the message generated in the EventLog. Here an example: [client x.x.x.x] ModSecurity: Warning. detected XSS using libinjection. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: <script>alert(\x22Hello! I am an alert box!\x22);</script> found within ARGS:faille: <script>alert(\x22Hello! I am an alert box!\x22);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18158513699705323522"] The url is http://test-xss.localdomain I would rather see [hostname "test-xss.localdomain "] instead of [hostname "TEST-WEB"], where TEST-WEB is the name of the server hosting multiple sites. I can't find how to customize the EventLog message. Thanks |
|
From: Christian F. <chr...@ne...> - 2019-04-13 18:42:07
|
Hi Claude, You can not customize it. It's hard coded. Regards, Christian On Sat, Apr 13, 2019 at 09:06:37AM +0000, Claude Cocault wrote: > Hello, > > > > I'm using Mod Security 2.9.3 with IIS 10. > > It works well but I can’t distinguish the impacted site in the message generated in the EventLog. > > > > Here an example: > > [client x.x.x.x] ModSecurity: Warning. detected XSS using libinjection. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: <script>alert(\x22Hello! I am an alert box!\x22);</script> found within ARGS:faille: <script>alert(\x22Hello! I am an alert box!\x22);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18158513699705323522"] > > > > The url is http://test-xss.localdomain > > > > I would rather see [hostname "test-xss.localdomain "] instead of [hostname "TEST-WEB"], where TEST-WEB is the name of the server hosting multiple sites. > > I can't find how to customize the EventLog message. > > > > Thanks > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Ervin H. <ai...@gm...> - 2019-04-14 10:26:38
|
Hi Claude, On Sun, Apr 14, 2019 at 09:01:27AM +0000, Claude Cocault wrote: > Hi Christian, > > Thank you for your answer. > Maybe a future evolution ? in V3 (aka libmodsecurity3) there is possible to log the custom fields, but it depends the application developer - so in simplifying at all, also needs to code :). a. |
|
From: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - 2019-04-14 19:00:30
|
Hi Christian
Yes we can
In crs-setup.conf i change
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
by
SecDefaultAction "phase:1,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
SecDefaultAction "phase:2,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
And i obtain:
[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "VirtualHost: test-xss.gi3f.fr"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18230571293743251474"]
where i get [tag "VirtualHost: test-xss.gi3f.fr"] in the log message
Thanks
Best regards
________________________________
De : Ervin Hegedüs <ai...@gm...>
Envoyé : dimanche 14 avril 2019 12:26
À : mod...@li...
Objet : Re: [mod-security-users] Problem with message in EventLog
Hi Claude,
On Sun, Apr 14, 2019 at 09:01:27AM +0000, XXXXXXXXXXXXXX wrote:
> Hi Christian,
>
> Thank you for your answer.
> Maybe a future evolution ?
in V3 (aka libmodsecurity3) there is possible to log the custom
fields, but it depends the application developer - so in
simplifying at all, also needs to code :).
a.
_______________________________________________
mod-security-users mailing list
mod...@li...
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038343879&sdata=W%2Ba41%2FKPUjQ8OvqaHiaONRtNpAWa0LCFwrU2zyyNdMg%3D&reserved=0
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&sdata=qaAIaj1dUC4WRQ53XTA6%2FdR%2BBjigXILJUk3qfi2g6gU%3D&reserved=0
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&sdata=TyW%2FFegJM3qjr%2B4CR%2FltiZbeA8uT44FfU2RRcuGkS6M%3D&reserved=0
|
|
From: Christian F. <chr...@ne...> - 2019-04-16 05:02:11
|
Hello Claude,
Good one. If you are satisfied with the info as a tag, then this is a nice
solution. I thought you _needed_ it in the "hostname" field.
Cheers,
Christian
On Sun, Apr 14, 2019 at 06:44:43PM +0000, Claude Cocault wrote:
> Hi Christian
>
> Yes we can
>
> In crs-setup.conf i change
> SecDefaultAction "phase:1,log,auditlog,pass"
> SecDefaultAction "phase:2,log,auditlog,pass"
> by
> SecDefaultAction "phase:1,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
> SecDefaultAction "phase:2,log,auditlog,pass,tag:'VirtualHost: %{request_headers.host}'"
> And i obtain:
> [client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "C:\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "VirtualHost: test-xss.gi3f.fr"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "TEST-WEB"] [uri "/verif.php"] [unique_id "18230571293743251474"]
>
> where i get [tag "VirtualHost: test-xss.gi3f.fr"] in the log message
>
> Thanks
>
> Best regards
>
> ________________________________
> De : Ervin Hegedüs <ai...@gm...>
> Envoyé : dimanche 14 avril 2019 12:26
> À : mod...@li...
> Objet : Re: [mod-security-users] Problem with message in EventLog
>
> Hi Claude,
>
> On Sun, Apr 14, 2019 at 09:01:27AM +0000, Claude Cocault wrote:
> > Hi Christian,
> >
> > Thank you for your answer.
> > Maybe a future evolution ?
>
> in V3 (aka libmodsecurity3) there is possible to log the custom
> fields, but it depends the application developer - so in
> simplifying at all, also needs to code :).
>
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038343879&sdata=W%2Ba41%2FKPUjQ8OvqaHiaONRtNpAWa0LCFwrU2zyyNdMg%3D&reserved=0
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&sdata=qaAIaj1dUC4WRQ53XTA6%2FdR%2BBjigXILJUk3qfi2g6gU%3D&reserved=0
> https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=02%7C01%7C%7C813b851d46d64cb0f07308d6c0c3ec26%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636908345038353884&sdata=TyW%2FFegJM3qjr%2B4CR%2FltiZbeA8uT44FfU2RRcuGkS6M%3D&reserved=0
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
Thanks for helping keep SourceForge clean.
X