Thread: Re: [mod-security-users] Enhancement request: logging of permanentcollections
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2008-09-23 13:55:14
|
-----Original Message----- From: Marc Stern [mailto:mar...@ap...] Sent: Tuesday, September 23, 2008 8:15 AM To: mod...@li... Subject: [mod-security-users] Enhancement request: logging of permanentcollections Hello, It would be very handy to be able to add to the log some collection data. A practical example is when you perform stateful inspection based on the IP address: if you keep a counter of one address' attack, it would be useful to be able to add this counter, when present, to every log entry. Maybe a directive like "SecAuditLogVar IP.attacks" [Ryan Barnett] On the one hand, the vast majority of Mod users are not using persistent collections (based on the last Mod User Survey). I attribute this mostly to the combination of the fact that the Core Rules don't utilize them by default coupled with the lack of useful use-case examples outside of what is presented in the Reference Manual. To your point though, I agree with you in that if you are using persistent collections it would be nice to gain some insight into the collection state at the end of the transaction. Currently you have to view the debug log to see this data. It would be nice if you could include a new audit log part section that will dump the collection data - something similar to section K that is showing you all of the rules that matched. I will submit a feature request ticket for this and discuss with Ivan and Brian. To your example however, we did add in the "data" action which will securely handle captured data from client supplied data. Keep in mind that the "msg" action still allows macro expansion so you could add in specific collection data such as "%{ip.attack_count}" and it will be displayed in the error and audit logs. -Ryan |