Thread: [mod-security-users] Use of Modsec variable in apache access log
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: homesh j. <ho...@gm...> - 2022-03-23 17:43:17
|
Hi All,
Hope you all are well.
I want to add the modsecurity variable e.g "rule.id"in the apache access
log via the extended format.
I set the following line in /etc/apache2/apache.conf
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"
%{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended
However I am not getting the rule.id value in the access log line.
Kindly suggest.
Thanks,
Homesh
|
|
From: Christian F. <chr...@ne...> - 2022-03-23 18:30:51
|
HelloHomesh, Unfortunately, this is not how this works. A ModSecuriy variable is not automatically an environment variable. And on top, the ModSec variable "rule" is only available during the execution of the very rule (and there might be many, many rules). I suggest you read up on my free tutorials published at netnea.com. The one on logging and the ones on the Core Rule Set are proposing ways to achieve something along these lines. Best, Christian On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > Hi All, > > Hope you all are well. > > I want to add the modsecurity variable e.g "rule.id"in the apache access > log via the extended format. > I set the following line in /etc/apache2/apache.conf > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > However I am not getting the rule.id value in the access log line. > > Kindly suggest. > > Thanks, > Homesh > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2023-06-21 12:16:03
|
Hi Christian, Thanks for the quick reply. OK so in detectonly mode also modsecurity rule evaluation works the same. Debug is a good idea. I have UAT so I can test. Will let you know. Thanks, Homesh On Wed, Jun 21, 2023 at 3:03 PM Christian Folini < chr...@ne...> wrote: > Hey Homesh, > > Evaluation does indeed stop after a drop and there is a chance > your rules only set the variables in question in a later phase. > Really depends on your configuration. > > You can follow rule execution with the ModSecurity debug log, but beware > it is very verbose. > > Generally, it is best to set variables for display in the access log only > in phase 5, which is also executed for requests that have been denied > in an earlier phase. > > Best regards, > > Christian > > > > > On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > > Hi All, > > > > With regards to my approach for logging the modsec variables in apache > log > > has worked for me for almost a year now. > > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > > websites. What I notice is that the apache logs are missing the right > > variable data. > > e.g I tested SQL injection and i was not able to see the relevant > > information in apache log which I typically get when "SecRuleEngine On" > > sample log for "SecRuleEngine DetectionOnly" > > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > > "/?k=1%20or%201=1" > > > > here rule id log is 333762 which is not the signature for SQL injection > > > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > > first rule matches with the final action drop/block. Hence I am able to > get > > the right rule ID and other variable data. But when "SecRuleEngine > > DetectionOnly" rule evaluation continues till the last rule and due to > > which my variable data gets changed as per the rules getting evaluated. > Can > > I change this behaviour of modsecurity in Detectonly mode ? that it > should > > stop the evaluation when it matches the first rule with final action of > > drop/block ( and not block/drop the transaction) ? > > > > Please suggest. > > > > Thanks, > > Homesh > > > > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > > chr...@ne...> wrote: > > > > > Thanks for the updates. I do not immediately see why it's not working > > > completely. But glad you have a working solution. > > > > > > Best, > > > > > > Christian > > > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > > Dear Christian, > > > > > > > > I added setvar:tx.rule=1 in each rule and then added the following > rule, > > > > post which I am able to get 1 written in access logs ( via the > %{waf} ) > > > for > > > > the transactions which got blocked by Modsec. for other transactions > it > > > is > > > > missing and hence getting - in the logs. I was not able to directly > set > > > the > > > > WAF=1 in the rules via setenv:waf=1 > > > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > > > Will test this any update incase I face any challenge. > > > > > > > > Thanks, > > > > Homesh > > > > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > > chr...@ne...> wrote: > > > > > > > > > I suggest you add this to every rule that detects / blocks > something. > > > > > Thus not a SecAction, but attach the setenv to your existing > SecRules > > > > > where you want to see the flag. > > > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > > > Good luck! > > > > > > > > > > Christian > > > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > > Dear Christian, > > > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > > explain > > > > > it a > > > > > > bit more on how this works. > > > > > > from your tutorial if i set up following rule > > > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > > 90100 - > > > > > 90199) > > > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > > > Kindly explain > > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > > > 2) the configuration required for more complicated scheme which > you > > > > > > are referring to > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > Hi there, > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > > Thanks for the clarification. > > > > > > > > I have already gone through excellent netnea.com tutorials. > I > > > have > > > > > > > already > > > > > > > > used some of the configuration from tutorial.I do not use > crs. > > > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > > line if > > > > > > > modsec > > > > > > > > has taken any action on the transaction say simply it can be > a > > > field > > > > > like > > > > > > > > modsec=1 or modsec=0. This wi help me in separating > transactions > > > > > which > > > > > > > are > > > > > > > > allowed.(modsec=0) So then it is easy to show these > transactions > > > in > > > > > the > > > > > > > > reporting system. > > > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. > You > > > can > > > > > > > simply > > > > > > > add this to every rule you have. Or you set up a more > complicated > > > > > scheme > > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Homesh > > > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > > variable. > > > > > > > > > And on top, the ModSec variable "rule" is only available > > > during the > > > > > > > > > execution of the very rule (and there might be many, many > > > rules). > > > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > > netnea.com > > > > > . > > > > > > > > > The one on logging and the ones on the Core Rule Set are > > > proposing > > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi > wrote: > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in > the > > > > > apache > > > > > > > access > > > > > > > > > > log via the extended format. > > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > > \"%{User-Agent}i\" > > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the > access log > > > > > line. > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > mod-security-users mailing list > > > > > > > > > > mod...@li... > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > SpiderLabs: > > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2023-06-21 12:29:10
|
Hey Homesh, Yes, it's the same it's just that the deny does not happen, so rule execution continues. Good luck! Christian On Wed, Jun 21, 2023 at 05:45:42PM +0530, homesh joshi wrote: > Hi Christian, > > Thanks for the quick reply. OK so in detectonly mode also modsecurity rule > evaluation works the same. > Debug is a good idea. I have UAT so I can test. Will let you know. > > Thanks, > Homesh > > On Wed, Jun 21, 2023 at 3:03 PM Christian Folini < > chr...@ne...> wrote: > > > Hey Homesh, > > > > Evaluation does indeed stop after a drop and there is a chance > > your rules only set the variables in question in a later phase. > > Really depends on your configuration. > > > > You can follow rule execution with the ModSecurity debug log, but beware > > it is very verbose. > > > > Generally, it is best to set variables for display in the access log only > > in phase 5, which is also executed for requests that have been denied > > in an earlier phase. > > > > Best regards, > > > > Christian > > > > > > > > > > On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > > > Hi All, > > > > > > With regards to my approach for logging the modsec variables in apache > > log > > > has worked for me for almost a year now. > > > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > > > websites. What I notice is that the apache logs are missing the right > > > variable data. > > > e.g I tested SQL injection and i was not able to see the relevant > > > information in apache log which I typically get when "SecRuleEngine On" > > > sample log for "SecRuleEngine DetectionOnly" > > > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > > > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > > > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > > > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > > > "/?k=1%20or%201=1" > > > > > > here rule id log is 333762 which is not the signature for SQL injection > > > > > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > > > first rule matches with the final action drop/block. Hence I am able to > > get > > > the right rule ID and other variable data. But when "SecRuleEngine > > > DetectionOnly" rule evaluation continues till the last rule and due to > > > which my variable data gets changed as per the rules getting evaluated. > > Can > > > I change this behaviour of modsecurity in Detectonly mode ? that it > > should > > > stop the evaluation when it matches the first rule with final action of > > > drop/block ( and not block/drop the transaction) ? > > > > > > Please suggest. > > > > > > Thanks, > > > Homesh > > > > > > > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > > > chr...@ne...> wrote: > > > > > > > Thanks for the updates. I do not immediately see why it's not working > > > > completely. But glad you have a working solution. > > > > > > > > Best, > > > > > > > > Christian > > > > > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > > > Dear Christian, > > > > > > > > > > I added setvar:tx.rule=1 in each rule and then added the following > > rule, > > > > > post which I am able to get 1 written in access logs ( via the > > %{waf} ) > > > > for > > > > > the transactions which got blocked by Modsec. for other transactions > > it > > > > is > > > > > missing and hence getting - in the logs. I was not able to directly > > set > > > > the > > > > > WAF=1 in the rules via setenv:waf=1 > > > > > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > > > > > Will test this any update incase I face any challenge. > > > > > > > > > > Thanks, > > > > > Homesh > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > > > chr...@ne...> wrote: > > > > > > > > > > > I suggest you add this to every rule that detects / blocks > > something. > > > > > > Thus not a SecAction, but attach the setenv to your existing > > SecRules > > > > > > where you want to see the flag. > > > > > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > > > > > Good luck! > > > > > > > > > > > > Christian > > > > > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > > > Dear Christian, > > > > > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > > > explain > > > > > > it a > > > > > > > bit more on how this works. > > > > > > > from your tutorial if i set up following rule > > > > > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > > > 90100 - > > > > > > 90199) > > > > > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > > > > > Kindly explain > > > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > > > > > 2) the configuration required for more complicated scheme which > > you > > > > > > > are referring to > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > Hi there, > > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > > > Thanks for the clarification. > > > > > > > > > I have already gone through excellent netnea.com tutorials. > > I > > > > have > > > > > > > > already > > > > > > > > > used some of the configuration from tutorial.I do not use > > crs. > > > > > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > > > line if > > > > > > > > modsec > > > > > > > > > has taken any action on the transaction say simply it can be > > a > > > > field > > > > > > like > > > > > > > > > modsec=1 or modsec=0. This wi help me in separating > > transactions > > > > > > which > > > > > > > > are > > > > > > > > > allowed.(modsec=0) So then it is easy to show these > > transactions > > > > in > > > > > > the > > > > > > > > > reporting system. > > > > > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. > > You > > > > can > > > > > > > > simply > > > > > > > > add this to every rule you have. Or you set up a more > > complicated > > > > > > scheme > > > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > > > variable. > > > > > > > > > > And on top, the ModSec variable "rule" is only available > > > > during the > > > > > > > > > > execution of the very rule (and there might be many, many > > > > rules). > > > > > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > > > netnea.com > > > > > > . > > > > > > > > > > The one on logging and the ones on the Core Rule Set are > > > > proposing > > > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi > > wrote: > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in > > the > > > > > > apache > > > > > > > > access > > > > > > > > > > > log via the extended format. > > > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > > > \"%{User-Agent}i\" > > > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the > > access log > > > > > > line. > > > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > mod-security-users mailing list > > > > > > > > > > > mod...@li... > > > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > SpiderLabs: > > > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > mod-security-users mailing list > > > > > > > > > > mod...@li... > > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > SpiderLabs: > > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2022-03-24 03:08:10
|
Dear Christian, Thanks for the clarification. I have already gone through excellent netnea.com tutorials. I have already used some of the configuration from tutorial.I do not use crs. My objective here is that I want to get a flag in access log line if modsec has taken any action on the transaction say simply it can be a field like modsec=1 or modsec=0. This wi help me in separating transactions which are allowed.(modsec=0) So then it is easy to show these transactions in the reporting system. Kindly suggest. Thanks, Homesh On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < chr...@ne...> wrote: > HelloHomesh, > > Unfortunately, this is not how this works. > > A ModSecuriy variable is not automatically an environment variable. > And on top, the ModSec variable "rule" is only available during the > execution of the very rule (and there might be many, many rules). > > I suggest you read up on my free tutorials published at netnea.com. > The one on logging and the ones on the Core Rule Set are proposing > ways to achieve something along these lines. > > Best, > > Christian > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > Hi All, > > > > Hope you all are well. > > > > I want to add the modsecurity variable e.g "rule.id"in the apache access > > log via the extended format. > > I set the following line in /etc/apache2/apache.conf > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > However I am not getting the rule.id value in the access log line. > > > > Kindly suggest. > > > > Thanks, > > Homesh > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: <az...@po...> - 2022-03-24 04:19:44
|
Hi Homesh, if all you need is to distinguish between blocked/passed requests then what about using different HTTP code used by modsecurity for blocking? There are lot's of HTTP codes which can fit. You can set it using SecDefaultAction. azurit Citát homesh joshi <ho...@gm...>: > Dear Christian, > > Thanks for the clarification. > I have already gone through excellent netnea.com tutorials. I have already > used some of the configuration from tutorial.I do not use crs. > My objective here is that I want to get a flag in access log line if modsec > has taken any action on the transaction say simply it can be a field like > modsec=1 or modsec=0. This wi help me in separating transactions which are > allowed.(modsec=0) So then it is easy to show these transactions in the > reporting system. > > Kindly suggest. > > Thanks, > Homesh > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > chr...@ne...> wrote: > >> HelloHomesh, >> >> Unfortunately, this is not how this works. >> >> A ModSecuriy variable is not automatically an environment variable. >> And on top, the ModSec variable "rule" is only available during the >> execution of the very rule (and there might be many, many rules). >> >> I suggest you read up on my free tutorials published at netnea.com. >> The one on logging and the ones on the Core Rule Set are proposing >> ways to achieve something along these lines. >> >> Best, >> >> Christian >> >> >> On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: >> > Hi All, >> > >> > Hope you all are well. >> > >> > I want to add the modsecurity variable e.g "rule.id"in the apache access >> > log via the extended format. >> > I set the following line in /etc/apache2/apache.conf >> > >> > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" >> > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended >> > >> > However I am not getting the rule.id value in the access log line. >> > >> > Kindly suggest. >> > >> > Thanks, >> > Homesh >> >> >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> |
|
From: homesh j. <ho...@gm...> - 2022-03-24 05:11:40
|
Hi Azurit, Thank you for your reply. In that case I will have to ensure all the rules which are currently using either 403 or 501 need to be changed to something say 408. Instead I just need to set the flag in the access log which I can use in the reporting to sort the allowed transactions. Ideally if there is any variable for modsec final action say blocked or allowed then nothing like it. Thanks, Homesh On Thu, Mar 24, 2022 at 9:53 AM <az...@po...> wrote: > Hi Homesh, > > if all you need is to distinguish between blocked/passed requests then > what about using different HTTP code used by modsecurity for blocking? > There are lot's of HTTP codes which can fit. You can set it using > SecDefaultAction. > > azurit > > > > > Citát homesh joshi <ho...@gm...>: > > > Dear Christian, > > > > Thanks for the clarification. > > I have already gone through excellent netnea.com tutorials. I have > already > > used some of the configuration from tutorial.I do not use crs. > > My objective here is that I want to get a flag in access log line if > modsec > > has taken any action on the transaction say simply it can be a field like > > modsec=1 or modsec=0. This wi help me in separating transactions which > are > > allowed.(modsec=0) So then it is easy to show these transactions in the > > reporting system. > > > > Kindly suggest. > > > > Thanks, > > Homesh > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > chr...@ne...> wrote: > > > >> HelloHomesh, > >> > >> Unfortunately, this is not how this works. > >> > >> A ModSecuriy variable is not automatically an environment variable. > >> And on top, the ModSec variable "rule" is only available during the > >> execution of the very rule (and there might be many, many rules). > >> > >> I suggest you read up on my free tutorials published at netnea.com. > >> The one on logging and the ones on the Core Rule Set are proposing > >> ways to achieve something along these lines. > >> > >> Best, > >> > >> Christian > >> > >> > >> On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > >> > Hi All, > >> > > >> > Hope you all are well. > >> > > >> > I want to add the modsecurity variable e.g "rule.id"in the apache > access > >> > log via the extended format. > >> > I set the following line in /etc/apache2/apache.conf > >> > > >> > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > \"%{User-Agent}i\" > >> > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > >> > > >> > However I am not getting the rule.id value in the access log line. > >> > > >> > Kindly suggest. > >> > > >> > Thanks, > >> > Homesh > >> > >> > >> > _______________________________________________ > >> > mod-security-users mailing list > >> > mod...@li... > >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> > http://www.modsecurity.org/projects/commercial/rules/ > >> > http://www.modsecurity.org/projects/commercial/support/ > >> > >> > >> > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > >> > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: <az...@po...> - 2022-03-24 09:06:59
|
No, you can set it for all rules using SecDefaultAction (it's one-liner setting). Citát homesh joshi <ho...@gm...>: > Hi Azurit, > > Thank you for your reply. In that case I will have to ensure all the rules > which are currently using either 403 or 501 need to be changed to something > say 408. > Instead I just need to set the flag in the access log which I can use in > the reporting to sort the allowed transactions. Ideally if there is any > variable for modsec final action say blocked or allowed then nothing like > it. > > Thanks, > Homesh > > On Thu, Mar 24, 2022 at 9:53 AM <az...@po...> wrote: > >> Hi Homesh, >> >> if all you need is to distinguish between blocked/passed requests then >> what about using different HTTP code used by modsecurity for blocking? >> There are lot's of HTTP codes which can fit. You can set it using >> SecDefaultAction. >> >> azurit >> >> >> >> >> Citát homesh joshi <ho...@gm...>: >> >> > Dear Christian, >> > >> > Thanks for the clarification. >> > I have already gone through excellent netnea.com tutorials. I have >> already >> > used some of the configuration from tutorial.I do not use crs. >> > My objective here is that I want to get a flag in access log line if >> modsec >> > has taken any action on the transaction say simply it can be a field like >> > modsec=1 or modsec=0. This wi help me in separating transactions which >> are >> > allowed.(modsec=0) So then it is easy to show these transactions in the >> > reporting system. >> > >> > Kindly suggest. >> > >> > Thanks, >> > Homesh >> > >> > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < >> > chr...@ne...> wrote: >> > >> >> HelloHomesh, >> >> >> >> Unfortunately, this is not how this works. >> >> >> >> A ModSecuriy variable is not automatically an environment variable. >> >> And on top, the ModSec variable "rule" is only available during the >> >> execution of the very rule (and there might be many, many rules). >> >> >> >> I suggest you read up on my free tutorials published at netnea.com. >> >> The one on logging and the ones on the Core Rule Set are proposing >> >> ways to achieve something along these lines. >> >> >> >> Best, >> >> >> >> Christian >> >> >> >> >> >> On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: >> >> > Hi All, >> >> > >> >> > Hope you all are well. >> >> > >> >> > I want to add the modsecurity variable e.g "rule.id"in the apache >> access >> >> > log via the extended format. >> >> > I set the following line in /etc/apache2/apache.conf >> >> > >> >> > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" >> \"%{User-Agent}i\" >> >> > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended >> >> > >> >> > However I am not getting the rule.id value in the access log line. >> >> > >> >> > Kindly suggest. >> >> > >> >> > Thanks, >> >> > Homesh >> >> >> >> >> >> > _______________________________________________ >> >> > mod-security-users mailing list >> >> > mod...@li... >> >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> >> > http://www.modsecurity.org/projects/commercial/rules/ >> >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> >> _______________________________________________ >> >> mod-security-users mailing list >> >> mod...@li... >> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> >> http://www.modsecurity.org/projects/commercial/rules/ >> >> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> |
|
From: Christian F. <chr...@ne...> - 2022-03-24 06:19:12
|
Hi there, On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > Thanks for the clarification. > I have already gone through excellent netnea.com tutorials. I have already > used some of the configuration from tutorial.I do not use crs. Thank you very much. > My objective here is that I want to get a flag in access log line if modsec > has taken any action on the transaction say simply it can be a field like > modsec=1 or modsec=0. This wi help me in separating transactions which are > allowed.(modsec=0) So then it is easy to show these transactions in the > reporting system. I'd do a setenv then in the rules. ... "setenv:modsec=1" Similar to the way I set th various env variables in phase 5. You can simply add this to every rule you have. Or you set up a more complicated scheme and do it in the end in phase 5. Best, Christian > > Kindly suggest. > > Thanks, > Homesh > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > chr...@ne...> wrote: > > > HelloHomesh, > > > > Unfortunately, this is not how this works. > > > > A ModSecuriy variable is not automatically an environment variable. > > And on top, the ModSec variable "rule" is only available during the > > execution of the very rule (and there might be many, many rules). > > > > I suggest you read up on my free tutorials published at netnea.com. > > The one on logging and the ones on the Core Rule Set are proposing > > ways to achieve something along these lines. > > > > Best, > > > > Christian > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > Hi All, > > > > > > Hope you all are well. > > > > > > I want to add the modsecurity variable e.g "rule.id"in the apache access > > > log via the extended format. > > > I set the following line in /etc/apache2/apache.conf > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > However I am not getting the rule.id value in the access log line. > > > > > > Kindly suggest. > > > > > > Thanks, > > > Homesh > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2022-03-24 11:32:41
|
Dear Christian, Thanks. I think this will work for me. However, can you please explain it a bit more on how this works. from your tutorial if i set up following rule # === ModSec performance calculations and variable export (ids: 90100 - 90199) SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" then for every access I see "1" in the access log. I think I will need to understand it more in order to use it. Kindly explain 1) the configuration required for setenv by modifying each rule 2) the configuration required for more complicated scheme which you are referring to Thanks, Homesh On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < chr...@ne...> wrote: > Hi there, > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > Thanks for the clarification. > > I have already gone through excellent netnea.com tutorials. I have > already > > used some of the configuration from tutorial.I do not use crs. > > Thank you very much. > > > My objective here is that I want to get a flag in access log line if > modsec > > has taken any action on the transaction say simply it can be a field like > > modsec=1 or modsec=0. This wi help me in separating transactions which > are > > allowed.(modsec=0) So then it is easy to show these transactions in the > > reporting system. > > I'd do a setenv then in the rules. > > ... "setenv:modsec=1" > > Similar to the way I set th various env variables in phase 5. You can > simply > add this to every rule you have. Or you set up a more complicated scheme > and do it in the end in phase 5. > > Best, > > Christian > > > > > Kindly suggest. > > > > Thanks, > > Homesh > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > chr...@ne...> wrote: > > > > > HelloHomesh, > > > > > > Unfortunately, this is not how this works. > > > > > > A ModSecuriy variable is not automatically an environment variable. > > > And on top, the ModSec variable "rule" is only available during the > > > execution of the very rule (and there might be many, many rules). > > > > > > I suggest you read up on my free tutorials published at netnea.com. > > > The one on logging and the ones on the Core Rule Set are proposing > > > ways to achieve something along these lines. > > > > > > Best, > > > > > > Christian > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > Hi All, > > > > > > > > Hope you all are well. > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the apache > access > > > > log via the extended format. > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > \"%{User-Agent}i\" > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > However I am not getting the rule.id value in the access log line. > > > > > > > > Kindly suggest. > > > > > > > > Thanks, > > > > Homesh > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2022-03-24 13:01:09
|
I suggest you add this to every rule that detects / blocks something. Thus not a SecAction, but attach the setenv to your existing SecRules where you want to see the flag. Alternatively, you can do a SecRule in phase 5 where you test the HTTP status and if it's 403, then you set the env. Good luck! Christian On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > Dear Christian, > > Thanks. I think this will work for me. However, can you please explain it a > bit more on how this works. > from your tutorial if i set up following rule > > # === ModSec performance calculations and variable export (ids: 90100 - 90199) > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > then for every access I see "1" in the access log. > > I think I will need to understand it more in order to use it. > > Kindly explain > 1) the configuration required for setenv by modifying each rule > > 2) the configuration required for more complicated scheme which you > are referring to > > Thanks, > > Homesh > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > chr...@ne...> wrote: > > > Hi there, > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > Thanks for the clarification. > > > I have already gone through excellent netnea.com tutorials. I have > > already > > > used some of the configuration from tutorial.I do not use crs. > > > > Thank you very much. > > > > > My objective here is that I want to get a flag in access log line if > > modsec > > > has taken any action on the transaction say simply it can be a field like > > > modsec=1 or modsec=0. This wi help me in separating transactions which > > are > > > allowed.(modsec=0) So then it is easy to show these transactions in the > > > reporting system. > > > > I'd do a setenv then in the rules. > > > > ... "setenv:modsec=1" > > > > Similar to the way I set th various env variables in phase 5. You can > > simply > > add this to every rule you have. Or you set up a more complicated scheme > > and do it in the end in phase 5. > > > > Best, > > > > Christian > > > > > > > > Kindly suggest. > > > > > > Thanks, > > > Homesh > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > chr...@ne...> wrote: > > > > > > > HelloHomesh, > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > A ModSecuriy variable is not automatically an environment variable. > > > > And on top, the ModSec variable "rule" is only available during the > > > > execution of the very rule (and there might be many, many rules). > > > > > > > > I suggest you read up on my free tutorials published at netnea.com. > > > > The one on logging and the ones on the Core Rule Set are proposing > > > > ways to achieve something along these lines. > > > > > > > > Best, > > > > > > > > Christian > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > > Hi All, > > > > > > > > > > Hope you all are well. > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the apache > > access > > > > > log via the extended format. > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > \"%{User-Agent}i\" > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > However I am not getting the rule.id value in the access log line. > > > > > > > > > > Kindly suggest. > > > > > > > > > > Thanks, > > > > > Homesh > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: homesh j. <ho...@gm...> - 2022-03-25 08:30:01
|
Dear Christian,
I added setvar:tx.rule=1 in each rule and then added the following rule,
post which I am able to get 1 written in access logs ( via the %{waf} ) for
the transactions which got blocked by Modsec. for other transactions it is
missing and hence getting - in the logs. I was not able to directly set the
WAF=1 in the rules via setenv:waf=1
SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'"
Will test this any update incase I face any challenge.
Thanks,
Homesh
On Thu, Mar 24, 2022 at 6:35 PM Christian Folini <
chr...@ne...> wrote:
> I suggest you add this to every rule that detects / blocks something.
> Thus not a SecAction, but attach the setenv to your existing SecRules
> where you want to see the flag.
>
> Alternatively, you can do a SecRule in phase 5 where you test the
> HTTP status and if it's 403, then you set the env.
>
> Good luck!
>
> Christian
>
> On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote:
> > Dear Christian,
> >
> > Thanks. I think this will work for me. However, can you please explain
> it a
> > bit more on how this works.
> > from your tutorial if i set up following rule
> >
> > # === ModSec performance calculations and variable export (ids: 90100 -
> 90199)
> >
> > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1"
> >
> > then for every access I see "1" in the access log.
> >
> > I think I will need to understand it more in order to use it.
> >
> > Kindly explain
> > 1) the configuration required for setenv by modifying each rule
> >
> > 2) the configuration required for more complicated scheme which you
> > are referring to
> >
> > Thanks,
> >
> > Homesh
> >
> >
> > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini <
> > chr...@ne...> wrote:
> >
> > > Hi there,
> > >
> > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote:
> > > > Thanks for the clarification.
> > > > I have already gone through excellent netnea.com tutorials. I have
> > > already
> > > > used some of the configuration from tutorial.I do not use crs.
> > >
> > > Thank you very much.
> > >
> > > > My objective here is that I want to get a flag in access log line if
> > > modsec
> > > > has taken any action on the transaction say simply it can be a field
> like
> > > > modsec=1 or modsec=0. This wi help me in separating transactions
> which
> > > are
> > > > allowed.(modsec=0) So then it is easy to show these transactions in
> the
> > > > reporting system.
> > >
> > > I'd do a setenv then in the rules.
> > >
> > > ... "setenv:modsec=1"
> > >
> > > Similar to the way I set th various env variables in phase 5. You can
> > > simply
> > > add this to every rule you have. Or you set up a more complicated
> scheme
> > > and do it in the end in phase 5.
> > >
> > > Best,
> > >
> > > Christian
> > >
> > > >
> > > > Kindly suggest.
> > > >
> > > > Thanks,
> > > > Homesh
> > > >
> > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, <
> > > > chr...@ne...> wrote:
> > > >
> > > > > HelloHomesh,
> > > > >
> > > > > Unfortunately, this is not how this works.
> > > > >
> > > > > A ModSecuriy variable is not automatically an environment variable.
> > > > > And on top, the ModSec variable "rule" is only available during the
> > > > > execution of the very rule (and there might be many, many rules).
> > > > >
> > > > > I suggest you read up on my free tutorials published at netnea.com
> .
> > > > > The one on logging and the ones on the Core Rule Set are proposing
> > > > > ways to achieve something along these lines.
> > > > >
> > > > > Best,
> > > > >
> > > > > Christian
> > > > >
> > > > >
> > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote:
> > > > > > Hi All,
> > > > > >
> > > > > > Hope you all are well.
> > > > > >
> > > > > > I want to add the modsecurity variable e.g "rule.id"in the
> apache
> > > access
> > > > > > log via the extended format.
> > > > > > I set the following line in /etc/apache2/apache.conf
> > > > > >
> > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
> > > \"%{User-Agent}i\"
> > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended
> > > > > >
> > > > > > However I am not getting the rule.id value in the access log
> line.
> > > > > >
> > > > > > Kindly suggest.
> > > > > >
> > > > > > Thanks,
> > > > > > Homesh
> > > > >
> > > > >
> > > > > > _______________________________________________
> > > > > > mod-security-users mailing list
> > > > > > mod...@li...
> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > > Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> > > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > > http://www.modsecurity.org/projects/commercial/support/
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > mod-security-users mailing list
> > > > > mod...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > Commercial ModSecurity Rules and Support from Trustwave's
> SpiderLabs:
> > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > http://www.modsecurity.org/projects/commercial/support/
> > > > >
> > >
> > >
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > >
> > >
> > >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> > >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Christian F. <chr...@ne...> - 2022-03-25 10:34:13
|
Thanks for the updates. I do not immediately see why it's not working
completely. But glad you have a working solution.
Best,
Christian
On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote:
> Dear Christian,
>
> I added setvar:tx.rule=1 in each rule and then added the following rule,
> post which I am able to get 1 written in access logs ( via the %{waf} ) for
> the transactions which got blocked by Modsec. for other transactions it is
> missing and hence getting - in the logs. I was not able to directly set the
> WAF=1 in the rules via setenv:waf=1
>
> SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'"
>
> Will test this any update incase I face any challenge.
>
> Thanks,
> Homesh
>
>
> On Thu, Mar 24, 2022 at 6:35 PM Christian Folini <
> chr...@ne...> wrote:
>
> > I suggest you add this to every rule that detects / blocks something.
> > Thus not a SecAction, but attach the setenv to your existing SecRules
> > where you want to see the flag.
> >
> > Alternatively, you can do a SecRule in phase 5 where you test the
> > HTTP status and if it's 403, then you set the env.
> >
> > Good luck!
> >
> > Christian
> >
> > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote:
> > > Dear Christian,
> > >
> > > Thanks. I think this will work for me. However, can you please explain
> > it a
> > > bit more on how this works.
> > > from your tutorial if i set up following rule
> > >
> > > # === ModSec performance calculations and variable export (ids: 90100 -
> > 90199)
> > >
> > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1"
> > >
> > > then for every access I see "1" in the access log.
> > >
> > > I think I will need to understand it more in order to use it.
> > >
> > > Kindly explain
> > > 1) the configuration required for setenv by modifying each rule
> > >
> > > 2) the configuration required for more complicated scheme which you
> > > are referring to
> > >
> > > Thanks,
> > >
> > > Homesh
> > >
> > >
> > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini <
> > > chr...@ne...> wrote:
> > >
> > > > Hi there,
> > > >
> > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote:
> > > > > Thanks for the clarification.
> > > > > I have already gone through excellent netnea.com tutorials. I have
> > > > already
> > > > > used some of the configuration from tutorial.I do not use crs.
> > > >
> > > > Thank you very much.
> > > >
> > > > > My objective here is that I want to get a flag in access log line if
> > > > modsec
> > > > > has taken any action on the transaction say simply it can be a field
> > like
> > > > > modsec=1 or modsec=0. This wi help me in separating transactions
> > which
> > > > are
> > > > > allowed.(modsec=0) So then it is easy to show these transactions in
> > the
> > > > > reporting system.
> > > >
> > > > I'd do a setenv then in the rules.
> > > >
> > > > ... "setenv:modsec=1"
> > > >
> > > > Similar to the way I set th various env variables in phase 5. You can
> > > > simply
> > > > add this to every rule you have. Or you set up a more complicated
> > scheme
> > > > and do it in the end in phase 5.
> > > >
> > > > Best,
> > > >
> > > > Christian
> > > >
> > > > >
> > > > > Kindly suggest.
> > > > >
> > > > > Thanks,
> > > > > Homesh
> > > > >
> > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, <
> > > > > chr...@ne...> wrote:
> > > > >
> > > > > > HelloHomesh,
> > > > > >
> > > > > > Unfortunately, this is not how this works.
> > > > > >
> > > > > > A ModSecuriy variable is not automatically an environment variable.
> > > > > > And on top, the ModSec variable "rule" is only available during the
> > > > > > execution of the very rule (and there might be many, many rules).
> > > > > >
> > > > > > I suggest you read up on my free tutorials published at netnea.com
> > .
> > > > > > The one on logging and the ones on the Core Rule Set are proposing
> > > > > > ways to achieve something along these lines.
> > > > > >
> > > > > > Best,
> > > > > >
> > > > > > Christian
> > > > > >
> > > > > >
> > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote:
> > > > > > > Hi All,
> > > > > > >
> > > > > > > Hope you all are well.
> > > > > > >
> > > > > > > I want to add the modsecurity variable e.g "rule.id"in the
> > apache
> > > > access
> > > > > > > log via the extended format.
> > > > > > > I set the following line in /etc/apache2/apache.conf
> > > > > > >
> > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
> > > > \"%{User-Agent}i\"
> > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended
> > > > > > >
> > > > > > > However I am not getting the rule.id value in the access log
> > line.
> > > > > > >
> > > > > > > Kindly suggest.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Homesh
> > > > > >
> > > > > >
> > > > > > > _______________________________________________
> > > > > > > mod-security-users mailing list
> > > > > > > mod...@li...
> > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > > > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > > > http://www.modsecurity.org/projects/commercial/support/
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > mod-security-users mailing list
> > > > > > mod...@li...
> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > > Commercial ModSecurity Rules and Support from Trustwave's
> > SpiderLabs:
> > > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > > http://www.modsecurity.org/projects/commercial/support/
> > > > > >
> > > >
> > > >
> > > > > _______________________________________________
> > > > > mod-security-users mailing list
> > > > > mod...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > > http://www.modsecurity.org/projects/commercial/support/
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > > >
> >
> >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: homesh j. <ho...@gm...> - 2023-06-21 07:44:24
|
Hi All, With regards to my approach for logging the modsec variables in apache log has worked for me for almost a year now. However, today when I enabled "SecRuleEngine DetectionOnly" for one of my websites. What I notice is that the apache logs are missing the right variable data. e.g I tested SQL injection and i was not able to see the relevant information in apache log which I typically get when "SecRuleEngine On" sample log for "SecRuleEngine DetectionOnly" 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 "/?k=1%20or%201=1" here rule id log is 333762 which is not the signature for SQL injection So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the first rule matches with the final action drop/block. Hence I am able to get the right rule ID and other variable data. But when "SecRuleEngine DetectionOnly" rule evaluation continues till the last rule and due to which my variable data gets changed as per the rules getting evaluated. Can I change this behaviour of modsecurity in Detectonly mode ? that it should stop the evaluation when it matches the first rule with final action of drop/block ( and not block/drop the transaction) ? Please suggest. Thanks, Homesh On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < chr...@ne...> wrote: > Thanks for the updates. I do not immediately see why it's not working > completely. But glad you have a working solution. > > Best, > > Christian > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > Dear Christian, > > > > I added setvar:tx.rule=1 in each rule and then added the following rule, > > post which I am able to get 1 written in access logs ( via the %{waf} ) > for > > the transactions which got blocked by Modsec. for other transactions it > is > > missing and hence getting - in the logs. I was not able to directly set > the > > WAF=1 in the rules via setenv:waf=1 > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > Will test this any update incase I face any challenge. > > > > Thanks, > > Homesh > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > chr...@ne...> wrote: > > > > > I suggest you add this to every rule that detects / blocks something. > > > Thus not a SecAction, but attach the setenv to your existing SecRules > > > where you want to see the flag. > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > HTTP status and if it's 403, then you set the env. > > > > > > Good luck! > > > > > > Christian > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > Dear Christian, > > > > > > > > Thanks. I think this will work for me. However, can you please > explain > > > it a > > > > bit more on how this works. > > > > from your tutorial if i set up following rule > > > > > > > > # === ModSec performance calculations and variable export (ids: > 90100 - > > > 90199) > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > Kindly explain > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > 2) the configuration required for more complicated scheme which you > > > > are referring to > > > > > > > > Thanks, > > > > > > > > Homesh > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > chr...@ne...> wrote: > > > > > > > > > Hi there, > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > Thanks for the clarification. > > > > > > I have already gone through excellent netnea.com tutorials. I > have > > > > > already > > > > > > used some of the configuration from tutorial.I do not use crs. > > > > > > > > > > Thank you very much. > > > > > > > > > > > My objective here is that I want to get a flag in access log > line if > > > > > modsec > > > > > > has taken any action on the transaction say simply it can be a > field > > > like > > > > > > modsec=1 or modsec=0. This wi help me in separating transactions > > > which > > > > > are > > > > > > allowed.(modsec=0) So then it is easy to show these transactions > in > > > the > > > > > > reporting system. > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > Similar to the way I set th various env variables in phase 5. You > can > > > > > simply > > > > > add this to every rule you have. Or you set up a more complicated > > > scheme > > > > > and do it in the end in phase 5. > > > > > > > > > > Best, > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > Thanks, > > > > > > Homesh > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > variable. > > > > > > > And on top, the ModSec variable "rule" is only available > during the > > > > > > > execution of the very rule (and there might be many, many > rules). > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > netnea.com > > > . > > > > > > > The one on logging and the ones on the Core Rule Set are > proposing > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > > > > > Hi All, > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the > > > apache > > > > > access > > > > > > > > log via the extended format. > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > \"%{User-Agent}i\" > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the access log > > > line. > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2023-06-21 09:29:41
|
Hey Homesh, Evaluation does indeed stop after a drop and there is a chance your rules only set the variables in question in a later phase. Really depends on your configuration. You can follow rule execution with the ModSecurity debug log, but beware it is very verbose. Generally, it is best to set variables for display in the access log only in phase 5, which is also executed for requests that have been denied in an earlier phase. Best regards, Christian On Wed, Jun 21, 2023 at 01:14:04PM +0530, homesh joshi wrote: > Hi All, > > With regards to my approach for logging the modsec variables in apache log > has worked for me for almost a year now. > However, today when I enabled "SecRuleEngine DetectionOnly" for one of my > websites. What I notice is that the apache logs are missing the right > variable data. > e.g I tested SQL injection and i was not able to see the relevant > information in apache log which I typically get when "SecRuleEngine On" > sample log for "SecRuleEngine DetectionOnly" > 49.36.106.185 - - [21/Jun/2023:06:39:53 +0000] 200 23125 GET "-" > "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 > Firefox/114.0" 3154 443 example.com ZJKbOUfg7dWT82qCkvNySAAAAEU TLSv1.3 > TLS_AES_128_GCM_SHA256 0 4 L; "/" 15.24.15.205 39735 "" "" "" "/" 333762 > "/?k=1%20or%201=1" > > here rule id log is 333762 which is not the signature for SQL injection > > So my conclusion is, in "SecRuleEngine On" rule evaluation stops when the > first rule matches with the final action drop/block. Hence I am able to get > the right rule ID and other variable data. But when "SecRuleEngine > DetectionOnly" rule evaluation continues till the last rule and due to > which my variable data gets changed as per the rules getting evaluated. Can > I change this behaviour of modsecurity in Detectonly mode ? that it should > stop the evaluation when it matches the first rule with final action of > drop/block ( and not block/drop the transaction) ? > > Please suggest. > > Thanks, > Homesh > > > On Fri, Mar 25, 2022 at 4:08 PM Christian Folini < > chr...@ne...> wrote: > > > Thanks for the updates. I do not immediately see why it's not working > > completely. But glad you have a working solution. > > > > Best, > > > > Christian > > > > On Fri, Mar 25, 2022 at 01:59:38PM +0530, homesh joshi wrote: > > > Dear Christian, > > > > > > I added setvar:tx.rule=1 in each rule and then added the following rule, > > > post which I am able to get 1 written in access logs ( via the %{waf} ) > > for > > > the transactions which got blocked by Modsec. for other transactions it > > is > > > missing and hence getting - in the logs. I was not able to directly set > > the > > > WAF=1 in the rules via setenv:waf=1 > > > > > > SecRule TX:rule "@eq 1" "phase:5,pass,setenv:waf=1,id:'9001'" > > > > > > Will test this any update incase I face any challenge. > > > > > > Thanks, > > > Homesh > > > > > > > > > On Thu, Mar 24, 2022 at 6:35 PM Christian Folini < > > > chr...@ne...> wrote: > > > > > > > I suggest you add this to every rule that detects / blocks something. > > > > Thus not a SecAction, but attach the setenv to your existing SecRules > > > > where you want to see the flag. > > > > > > > > Alternatively, you can do a SecRule in phase 5 where you test the > > > > HTTP status and if it's 403, then you set the env. > > > > > > > > Good luck! > > > > > > > > Christian > > > > > > > > On Thu, Mar 24, 2022 at 05:02:20PM +0530, homesh joshi wrote: > > > > > Dear Christian, > > > > > > > > > > Thanks. I think this will work for me. However, can you please > > explain > > > > it a > > > > > bit more on how this works. > > > > > from your tutorial if i set up following rule > > > > > > > > > > # === ModSec performance calculations and variable export (ids: > > 90100 - > > > > 90199) > > > > > > > > > > SecAction "id:90100,phase:5,pass,nolog,setenv:modsec=1" > > > > > > > > > > then for every access I see "1" in the access log. > > > > > > > > > > I think I will need to understand it more in order to use it. > > > > > > > > > > Kindly explain > > > > > 1) the configuration required for setenv by modifying each rule > > > > > > > > > > 2) the configuration required for more complicated scheme which you > > > > > are referring to > > > > > > > > > > Thanks, > > > > > > > > > > Homesh > > > > > > > > > > > > > > > On Thu, Mar 24, 2022 at 11:52 AM Christian Folini < > > > > > chr...@ne...> wrote: > > > > > > > > > > > Hi there, > > > > > > > > > > > > On Thu, Mar 24, 2022 at 08:37:51AM +0530, homesh joshi wrote: > > > > > > > Thanks for the clarification. > > > > > > > I have already gone through excellent netnea.com tutorials. I > > have > > > > > > already > > > > > > > used some of the configuration from tutorial.I do not use crs. > > > > > > > > > > > > Thank you very much. > > > > > > > > > > > > > My objective here is that I want to get a flag in access log > > line if > > > > > > modsec > > > > > > > has taken any action on the transaction say simply it can be a > > field > > > > like > > > > > > > modsec=1 or modsec=0. This wi help me in separating transactions > > > > which > > > > > > are > > > > > > > allowed.(modsec=0) So then it is easy to show these transactions > > in > > > > the > > > > > > > reporting system. > > > > > > > > > > > > I'd do a setenv then in the rules. > > > > > > > > > > > > ... "setenv:modsec=1" > > > > > > > > > > > > Similar to the way I set th various env variables in phase 5. You > > can > > > > > > simply > > > > > > add this to every rule you have. Or you set up a more complicated > > > > scheme > > > > > > and do it in the end in phase 5. > > > > > > > > > > > > Best, > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > Thanks, > > > > > > > Homesh > > > > > > > > > > > > > > On Thu, 24 Mar, 2022, 12:04 am Christian Folini, < > > > > > > > chr...@ne...> wrote: > > > > > > > > > > > > > > > HelloHomesh, > > > > > > > > > > > > > > > > Unfortunately, this is not how this works. > > > > > > > > > > > > > > > > A ModSecuriy variable is not automatically an environment > > variable. > > > > > > > > And on top, the ModSec variable "rule" is only available > > during the > > > > > > > > execution of the very rule (and there might be many, many > > rules). > > > > > > > > > > > > > > > > I suggest you read up on my free tutorials published at > > netnea.com > > > > . > > > > > > > > The one on logging and the ones on the Core Rule Set are > > proposing > > > > > > > > ways to achieve something along these lines. > > > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2022 at 11:12:58PM +0530, homesh joshi wrote: > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > Hope you all are well. > > > > > > > > > > > > > > > > > > I want to add the modsecurity variable e.g "rule.id"in the > > > > apache > > > > > > access > > > > > > > > > log via the extended format. > > > > > > > > > I set the following line in /etc/apache2/apache.conf > > > > > > > > > > > > > > > > > > LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" > > > > > > \"%{User-Agent}i\" > > > > > > > > > %{ms}T %p %{Host}i %{UNIQUE_ID}e %{rule.id}e" extended > > > > > > > > > > > > > > > > > > However I am not getting the rule.id value in the access log > > > > line. > > > > > > > > > > > > > > > > > > Kindly suggest. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > Homesh > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > mod-security-users mailing list > > > > > > > > > mod...@li... > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
Thanks for helping keep SourceForge clean.
X