Thread: [mod-security-users] mod_security - alert mail

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] mod_security - alert mail

From: Edouard G. <eg...@pa...> - 2018-01-11 16:14:09

Hello Dear Mod_security users,

I spend time on my server logs to check if there is any attacks detected 
by mod_security.

I supposed users often ask for this, is there a way to configure 
mod_security to get alert emails when some rules are activated ?
And to configure what activated rules are allowed to send email alert ? 
(I do not want every activated rules send alert by email).

Best regards,
EG

Re: [mod-security-users] mod_security - alert mail

From: Christian F. <chr...@ne...> - 2018-01-11 17:05:34

Hey Edouard,

On Thu, Jan 11, 2018 at 01:13:51PM -0300, Edouard Guigné wrote:
> I supposed users often ask for this, is there a way to configure
> mod_security to get alert emails when some rules are activated ?
> And to configure what activated rules are allowed to send email alert ? (I
> do not want every activated rules send alert by email).

There are various options and you need to build this yourself.

Personally, I think detection / blocking and alerting should be
separated. But there is nothing stopping you from using the exec action
in phase 5 to trigger an email. But think about the number of emails
you get when somebody runs a vulnerability scan on your site.

I think it is smarter to sit on the logs and scan them for alerts,
add some intelligence and then do the alarming.

That way you can make sure that there is at most a message every 5 minutes or
stuff like that. It's hard to get that right from within ModSec.

Just my 2 cents.

Ahoj,

Christian

> 
> Best regards,
> EG
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

Re: [mod-security-users] mod_security - alert mail

From: Ed G. <ED...@ha...> - 2018-01-12 14:47:51

What I did:

I use mlogc to send my logs to a database table. I wrote a script that reads the database table, consults a whitelist, and anything not on the list is reported by hourly email. There is a "high water mark" that keeps me from reporting the same things over and over again.

Best,

On Thu, 2018-01-11 at 18:05 +0100, Christian Folini wrote:

Hey Edouard,

On Thu, Jan 11, 2018 at 01:13:51PM -0300, Edouard Guigné wrote:

I supposed users often ask for this, is there a way to configure
mod_security to get alert emails when some rules are activated ?
And to configure what activated rules are allowed to send email alert ? (I
do not want every activated rules send alert by email).

There are various options and you need to build this yourself.

Personally, I think detection / blocking and alerting should be
separated. But there is nothing stopping you from using the exec action
in phase 5 to trigger an email. But think about the number of emails
you get when somebody runs a vulnerability scan on your site.

I think it is smarter to sit on the logs and scan them for alerts,
add some intelligence and then do the alarming.

That way you can make sure that there is at most a message every 5 minutes or
stuff like that. It's hard to get that right from within ModSec.

Just my 2 cents.

Ahoj,

Christian

Best regards,
EG

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Ed Greenberg | Web Developer and LInux System Administrator
________________________________
HAPPY Software, Inc. l Work HAPPY-er!
t. 888-484-2779 l f. 518-584-5388

This message and any of its attachments are intended only for the use of the designated recipient, or the recipient’s designee, and may contain information that is confidential or privileged. If you are not the intended recipient, please immediately notify HAPPY Software, Inc., delete all copies of the message and any attachments and do not disseminate or make any use of their contents.

Re: [mod-security-users] mod_security - alert mail

From: Reindl H. <h.r...@th...> - 2018-01-11 18:59:34


Am 11.01.2018 um 17:13 schrieb Edouard Guigné:
> Hello Dear Mod_security users,
> 
> I spend time on my server logs to check if there is any attacks detected 
> by mod_security.
> 
> I supposed users often ask for this, is there a way to configure 
> mod_security to get alert emails when some rules are activated ?
> And to configure what activated rules are allowed to send email alert ? 
> (I do not want every activated rules send alert by email)

have fun when you are under attack - invitation for a self-DOS

grep your logs and generate mails based on that in a regulary time 
schedule like once out twice per hour but don't consider it a smart idea 
that a attacker on a webserver can instantly attack your mailserver and 
inbox too