Thread: [mod-security-users] 'skipAfter' will not trigger, help appreciated
Brought to you by:
victorhora,
zimmerletw
From: Yi Li <yi...@gm...> - 2011-06-14 17:31:32
|
i write a 'bypass' rule logic using 'skipAfter'. the 'skipAfter' will not trigger when the trigger condition is being met. what is mysterious is that if i change to other match condition, such as match the source IP, it is able to trigger. if someone could let know how to make modsecurity spit more debug info to troubleshoot, it would be helpful as well. I tried to raise the debuglevel to 9 and it does not spit any info on why this rule fails to trigger. any help would be appreciated. * SecRule PATH_INFO "!@eq url01" \ "phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip geoip',logdata:' for uri: %{PATH_INFO}'" * * * *SecMarker GEO_IP_CHECK* *SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip block',logdata:'%{PATH_INFO}'"* *SecRule REMOTE_ADDR @geoLookup \* *"phase:1,chain,log,ctl:ruleEngine=On,ctl:auditEngine=RelevantOnly,msg:'non-us-ca country code logged Geo-IP',logdata:'client ip: %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'"* * * *SecRule GEO:COUNTRY_CODE "!@within US CA"* * * *SecMarker AFTER_GEO_IP_CHECK* |
From: Ryan B. <RBa...@tr...> - 2011-06-14 17:35:48
|
Use REQUEST_FILENAME instead of PATH_INFO. -=Ryan From: Yi Li <yi...@gm...<mailto:yi...@gm...>> Date: Tue, 14 Jun 2011 12:31:25 -0500 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [mod-security-users] 'skipAfter' will not trigger, help appreciated i write a 'bypass' rule logic using 'skipAfter'. the 'skipAfter' will not trigger when the trigger condition is being met. what is mysterious is that if i change to other match condition, such as match the source IP, it is able to trigger. if someone could let know how to make modsecurity spit more debug info to troubleshoot, it would be helpful as well. I tried to raise the debuglevel to 9 and it does not spit any info on why this rule fails to trigger. any help would be appreciated. SecRule PATH_INFO "!@eq url01" \ "phase:1,skipAfter:AFTER_GEO_IP_CHECK,pass,msg:'skip geoip',logdata:' for uri: %{PATH_INFO}'" SecMarker GEO_IP_CHECK SecRule REMOTE_ADDR "^10\.128\.76\.50$" "phase:1,drop,msg:'ip block',logdata:'%{PATH_INFO}'" SecRule REMOTE_ADDR @geoLookup \ "phase:1,chain,log,ctl:ruleEngine=On,ctl:auditEngine=RelevantOnly,msg:'non-us-ca country code logged Geo-IP',logdata:'client ip: %{REMOTE_ADDR},%{GEO:COUNTRY_CODE}'" SecRule GEO:COUNTRY_CODE "!@within US CA" SecMarker AFTER_GEO_IP_CHECK ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-14 18:12:09
|
we are using ModSecurity 2 on Apache protected by CA's SiteMinder. In testing ModSecurity with the Core rules, I've seen that SiteMinder is called first. Is there any way to get ModSecurity to proc before SiteMinder? We specified the ModSecurity first and then SiteMinder. Any help is really appriciated. Thanks, Padmaja. |
From: matthew s. <msp...@gm...> - 2011-06-15 06:24:11
|
On Tue, Jun 14, 2011 at 2:12 PM, Padmaja Vuyyuru <pad...@ya...> wrote: > > we are using ModSecurity 2 on Apache protected by CA's SiteMinder. In > testing ModSecurity with the Core rules, I've seen that SiteMinder is called > first. > Is there any way to get ModSecurity to proc before SiteMinder? We specified > the ModSecurity first and then SiteMinder. Any help is really appriciated. > Put mod_security in front of the sm agent machine in a proxy setup. Why is mod_security triggering after sm a problem? |
From: Padmaja V. <pad...@ya...> - 2011-06-15 13:31:16
|
Thank you Matthew, We have mod_security.so calling first in webserver settings. All siteminder enabled URL's are not going to the Mod_Sec and calling siteminder first. I don't see in any thing audit logs. Any other help is really appreciated. ----- Original Message ---- From: matthew sporleder <msp...@gm...> To: Padmaja Vuyyuru <pad...@ya...> Cc: mod...@li... Sent: Wed, June 15, 2011 1:24:05 AM Subject: Re: [mod-security-users] calling modsecurity before siteminder , help appreciated On Tue, Jun 14, 2011 at 2:12 PM, Padmaja Vuyyuru <pad...@ya...> wrote: > > we are using ModSecurity 2 on Apache protected by CA's SiteMinder. In > testing ModSecurity with the Core rules, I've seen that SiteMinder is called > first. > Is there any way to get ModSecurity to proc before SiteMinder? We specified > the ModSecurity first and then SiteMinder. Any help is really appriciated. > Put mod_security in front of the sm agent machine in a proxy setup. Why is mod_security triggering after sm a problem? |
From: Ryan B. <RBa...@tr...> - 2011-06-15 13:37:41
|
There are two methods you can check that will influence the order in which modules are executed - 1) The order of LoadModule in the httpd.conf file. The ordering of the modules can impact the execution order. The order actually starts from the bottom then the top. So, if you want ModSecurity to have first crack, make sure it is the last module listed in with LoadModule. 2) In the apache2/mod_security.2.c file, you can edit the module hooks listing to instruct Apache to have certain modules run before/after ModSecurity. Here is the section of code that you want to edit - ################################ /** * Registers module hooks with Apache. */ static void register_hooks(apr_pool_t *mp) { static const char *const postconfig_beforeme_list[] = { "mod_unique_id.c", "mod_ssl.c", NULL }; static const char *const postconfig_afterme_list[] = { "mod_fcgid.c", "mod_cgid.c", NULL }; static const char *const postread_beforeme_list[] = { "mod_rpaf.c", "mod_rpaf-2.0.c", "mod_extract_forwarded2.c", "mod_remoteip.c", "mod_custom_header.c", "mod_breach_realip.c", "mod_breach_trans.c", "mod_unique_id.c", NULL }; static const char *const postread_afterme_list[] = { "mod_log_forensic.c", NULL }; ################################ You might want to try and put the SiteMinder module in the postconfig_afterme_list -Ryan On 6/15/11 9:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >Thank you Matthew, > >We have mod_security.so calling first in webserver settings. All >siteminder >enabled URL's are not going to the Mod_Sec and calling siteminder first. >I don't >see in any thing audit logs. > >Any other help is really appreciated. > > > >----- Original Message ---- >From: matthew sporleder <msp...@gm...> >To: Padmaja Vuyyuru <pad...@ya...> >Cc: mod...@li... >Sent: Wed, June 15, 2011 1:24:05 AM >Subject: Re: [mod-security-users] calling modsecurity before siteminder , >help >appreciated > >On Tue, Jun 14, 2011 at 2:12 PM, Padmaja Vuyyuru <pad...@ya...> >wrote: >> >> we are using ModSecurity 2 on Apache protected by CA's SiteMinder. In >> testing ModSecurity with the Core rules, I've seen that SiteMinder is >>called >> first. >> Is there any way to get ModSecurity to proc before SiteMinder? We >>specified >> the ModSecurity first and then SiteMinder. Any help is really >>appriciated. >> > >Put mod_security in front of the sm agent machine in a proxy setup. > >Why is mod_security triggering after sm a problem? > > >-------------------------------------------------------------------------- >---- >EditLive Enterprise is the world's most technically advanced content >authoring tool. Experience the power of Track Changes, Inline Image >Editing and ensure content is compliant with Accessibility Checking. >http://p.sf.net/sfu/ephox-dev2dev >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-16 17:29:55
|
Ryan, Thank you very much for your quick response and solution, we tested this and working. Padmaja. ----- Original Message ---- From: Ryan Barnett <RBa...@tr...> To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Wed, June 15, 2011 8:37:31 AM Subject: Re: [mod-security-users] calling modsecurity before siteminder , help appreciated There are two methods you can check that will influence the order in which modules are executed - 1) The order of LoadModule in the httpd.conf file. The ordering of the modules can impact the execution order. The order actually starts from the bottom then the top. So, if you want ModSecurity to have first crack, make sure it is the last module listed in with LoadModule. 2) In the apache2/mod_security.2.c file, you can edit the module hooks listing to instruct Apache to have certain modules run before/after ModSecurity. Here is the section of code that you want to edit - ################################ /** * Registers module hooks with Apache. */ static void register_hooks(apr_pool_t *mp) { static const char *const postconfig_beforeme_list[] = { "mod_unique_id.c", "mod_ssl.c", NULL }; static const char *const postconfig_afterme_list[] = { "mod_fcgid.c", "mod_cgid.c", NULL }; static const char *const postread_beforeme_list[] = { "mod_rpaf.c", "mod_rpaf-2.0.c", "mod_extract_forwarded2.c", "mod_remoteip.c", "mod_custom_header.c", "mod_breach_realip.c", "mod_breach_trans.c", "mod_unique_id.c", NULL }; static const char *const postread_afterme_list[] = { "mod_log_forensic.c", NULL }; ################################ You might want to try and put the SiteMinder module in the postconfig_afterme_list -Ryan On 6/15/11 9:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >Thank you Matthew, > >We have mod_security.so calling first in webserver settings. All >siteminder >enabled URL's are not going to the Mod_Sec and calling siteminder first. >I don't >see in any thing audit logs. > >Any other help is really appreciated. > > > >----- Original Message ---- >From: matthew sporleder <msp...@gm...> >To: Padmaja Vuyyuru <pad...@ya...> >Cc: mod...@li... >Sent: Wed, June 15, 2011 1:24:05 AM >Subject: Re: [mod-security-users] calling modsecurity before siteminder , >help >appreciated > >On Tue, Jun 14, 2011 at 2:12 PM, Padmaja Vuyyuru <pad...@ya...> >wrote: >> >> we are using ModSecurity 2 on Apache protected by CA's SiteMinder. In >> testing ModSecurity with the Core rules, I've seen that SiteMinder is >>called >> first. >> Is there any way to get ModSecurity to proc before SiteMinder? We >>specified >> the ModSecurity first and then SiteMinder. Any help is really >>appriciated. >> > >Put mod_security in front of the sm agent machine in a proxy setup. > >Why is mod_security triggering after sm a problem? > > >-------------------------------------------------------------------------- >---- >EditLive Enterprise is the world's most technically advanced content >authoring tool. Experience the power of Track Changes, Inline Image >Editing and ensure content is compliant with Accessibility Checking. >http://p.sf.net/sfu/ephox-dev2dev >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-23 14:28:09
|
We configured Apache with modsecurity and mod security audit and debug logs are in seperate location than apache logs. We set up some rules and every time when we hit rule, it is logging in apache secure logs like shown below and audit logs in detail. We don't want this to log in apache error logs. How to disable this? We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. Any help is appriciated. ************************************************************************************************************** Apache error log [Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: Warning. Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file "/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname "www.abctest.com.sprint.com"] [uri "/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id "xDYKHgroWVAAABZ8SA4AAAAm"] Thanks, Padmaja. |
From: Ryan B. <RBa...@tr...> - 2011-06-23 14:34:37
|
What ruleset are you using? Looks like GotRoot. -Ryan On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >We configured Apache with modsecurity and mod security audit and debug >logs are >in seperate location than apache logs. We set up some rules and every >time when >we hit rule, it is logging in apache secure logs like shown below and >audit logs >in detail. We don't want this to log in apache error logs. How to disable >this? >We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >Any help >is appriciated. >************************************************************************** >************************************ > >Apache error log > >[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >Warning. >Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >"www.abctest.com.sprint.com"] [uri >"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >"xDYKHgroWVAAABZ8SA4AAAAm"] > >Thanks, >Padmaja. > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-23 14:46:01
|
We are trying to log with couple of rules and also trying to implement GEO rules. # Log: Log everything except html, gif, js and css'es for now, but let it through (pass) SecRule SCRIPT_BASENAME "!\.css$" SecRule SCRIPT_BASENAME "^login\.jsp$" "log" ----- Original Message ---- From: Ryan Barnett <RBa...@tr...> To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Thu, June 23, 2011 9:34:29 AM Subject: Re: How to disable modsecurity logging in apache logs? What ruleset are you using? Looks like GotRoot. -Ryan On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >We configured Apache with modsecurity and mod security audit and debug >logs are >in seperate location than apache logs. We set up some rules and every >time when >we hit rule, it is logging in apache secure logs like shown below and >audit logs >in detail. We don't want this to log in apache error logs. How to disable >this? >We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >Any help >is appriciated. >************************************************************************** >************************************ > >Apache error log > >[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >Warning. >Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >"www.abctest.com"] [uri >"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >"xDYKHgroWVAAABZ8SA4AAAAm"] > >Thanks, >Padmaja. > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Ryan B. <RBa...@tr...> - 2011-06-23 15:02:53
|
Ok, so you are just looking to create ModSecurity audit logs of the transactions and not looking at generating alerts/events? What do you have the SecAuditEngine set to? If it is the default of RelevantOnly then it will only generate audit logs if the server responds with a relevant HTTP status code or if a SecRule/SecAction rule matches. If this is the case, then I would suggest you do the following - SecRule SCRIPT_BASENAME "!\.css$" "phase:1,t:none,nolog,pass,ctl:auditEngine=On" SecRule SCRIPT_BASENAME "^login\.jsp$" "phase:1,t:none,nolog,pass,ctl:auditEngine=On" These rules will not generate any alerts themselves but instead will use the ctl action to force audit logging of the transaction. -Ryan On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >We are trying to log with couple of rules and also trying to implement >GEO >rules. > ># Log: Log everything except html, gif, js and css'es for now, but let >it >through (pass) > >SecRule SCRIPT_BASENAME "!\.css$" >SecRule SCRIPT_BASENAME "^login\.jsp$" "log" > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 9:34:29 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >What ruleset are you using? Looks like GotRoot. > > >-Ryan > >On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>We configured Apache with modsecurity and mod security audit and debug >>logs are >>in seperate location than apache logs. We set up some rules and every >>time when >>we hit rule, it is logging in apache secure logs like shown below and >>audit logs >>in detail. We don't want this to log in apache error logs. How to disable >>this? >>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>Any help >>is appriciated. >>************************************************************************* >>* >>************************************ >> >>Apache error log >> >>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>Warning. >>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>"www.abctest.com"] [uri >>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>"xDYKHgroWVAAABZ8SA4AAAAm"] >> >>Thanks, >>Padmaja. >> >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether >in electronic or hard copy format. > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-23 15:31:54
|
That stopped logging in both apache error log and modsec audit log. We want to log to modsec audit log, but not in apache error logs. -Padmaja ----- Original Message ---- From: Ryan Barnett <RBa...@tr...> To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Thu, June 23, 2011 10:02:41 AM Subject: Re: How to disable modsecurity logging in apache logs? Ok, so you are just looking to create ModSecurity audit logs of the transactions and not looking at generating alerts/events? What do you have the SecAuditEngine set to? If it is the default of RelevantOnly then it will only generate audit logs if the server responds with a relevant HTTP status code or if a SecRule/SecAction rule matches. If this is the case, then I would suggest you do the following - SecRule SCRIPT_BASENAME "!\.css$" "phase:1,t:none,nolog,pass,ctl:auditEngine=On" SecRule SCRIPT_BASENAME "^login\.jsp$" "phase:1,t:none,nolog,pass,ctl:auditEngine=On" These rules will not generate any alerts themselves but instead will use the ctl action to force audit logging of the transaction. -Ryan On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >We are trying to log with couple of rules and also trying to implement >GEO >rules. > ># Log: Log everything except html, gif, js and css'es for now, but let >it >through (pass) > >SecRule SCRIPT_BASENAME "!\.css$" >SecRule SCRIPT_BASENAME "^login\.jsp$" "log" > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 9:34:29 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >What ruleset are you using? Looks like GotRoot. > > >-Ryan > >On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>We configured Apache with modsecurity and mod security audit and debug >>logs are >>in seperate location than apache logs. We set up some rules and every >>time when >>we hit rule, it is logging in apache secure logs like shown below and >>audit logs >>in detail. We don't want this to log in apache error logs. How to disable >>this? >>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>Any help >>is appriciated. >>************************************************************************* >>* >>************************************ >> >>Apache error log >> >>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>Warning. >>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>"www.abctest.com"] [uri >>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>"xDYKHgroWVAAABZ8SA4AAAAm"] >> >>Thanks, >>Padmaja. >> >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether >in electronic or hard copy format. > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Ryan B. <RBa...@tr...> - 2011-06-23 15:36:30
|
I am still trying to understand your goals. Are you wanting to create audit log file for those requests but to not generate any alerts within the Apache error_log? -Ryan On 6/23/11 11:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >That stopped logging in both apache error log and modsec audit log. We >want to >log to modsec audit log, but not in apache error logs. > >-Padmaja > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 10:02:41 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >Ok, so you are just looking to create ModSecurity audit logs of the >transactions and not looking at generating alerts/events? What do you >have the SecAuditEngine set to? If it is the default of RelevantOnly then >it will only generate audit logs if the server responds with a relevant >HTTP status code or if a SecRule/SecAction rule matches. If this is the >case, then I would suggest you do the following - > >SecRule SCRIPT_BASENAME "!\.css$" >"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >SecRule SCRIPT_BASENAME "^login\.jsp$" >"phase:1,t:none,nolog,pass,ctl:auditEngine=On" > > >These rules will not generate any alerts themselves but instead will use >the ctl action to force audit logging of the transaction. > >-Ryan > > > >On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>We are trying to log with couple of rules and also trying to implement >>GEO >>rules. >> >># Log: Log everything except html, gif, js and css'es for now, but let >>it >>through (pass) >> >>SecRule SCRIPT_BASENAME "!\.css$" >>SecRule SCRIPT_BASENAME "^login\.jsp$" "log" >> >> >> >>----- Original Message ---- >>From: Ryan Barnett <RBa...@tr...> >>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >><msp...@gm...> >>Cc: "mod...@li..." >><mod...@li...> >>Sent: Thu, June 23, 2011 9:34:29 AM >>Subject: Re: How to disable modsecurity logging in apache logs? >> >>What ruleset are you using? Looks like GotRoot. >> >> >>-Ryan >> >>On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >> >>>We configured Apache with modsecurity and mod security audit and debug >>>logs are >>>in seperate location than apache logs. We set up some rules and every >>>time when >>>we hit rule, it is logging in apache secure logs like shown below and >>>audit logs >>>in detail. We don't want this to log in apache error logs. How to >>>disable >>>this? >>>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>>Any help >>>is appriciated. >>>************************************************************************ >>>* >>>* >>>************************************ >>> >>>Apache error log >>> >>>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>>Warning. >>>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>>"www.abctest.com"] [uri >>>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>>"xDYKHgroWVAAABZ8SA4AAAAm"] >>> >>>Thanks, >>>Padmaja. >>> >>> >> >> >>This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether >>in electronic or hard copy format. >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether > >in electronic or hard copy format. > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-23 15:51:25
|
That's correct. I want to see all sections(ABCIFHZ ) on modsec and not any modsec logs on apache error logs. here is my conf setting: # Serial audit log SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^2-5 SecAuditLogParts ABCIFHZ SecAuditLogType Serial SecAuditLog /logs//test/audit/modsec_audit.log and here are the rules I am using: # Log: Log everything except html, gif, js and css'es for now, but let it through (pass) SecRule SCRIPT_BASENAME "!\.html$" "chain,pass,auditlog" SecRule SCRIPT_BASENAME "!\.gif$" chain SecRule SCRIPT_BASENAME "!\.js$" chain SecRule SCRIPT_BASENAME "!\.css$" - Padmaja. ----- Original Message ---- From: Ryan Barnett <RBa...@tr...> To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Thu, June 23, 2011 10:36:20 AM Subject: Re: How to disable modsecurity logging in apache logs? I am still trying to understand your goals. Are you wanting to create audit log file for those requests but to not generate any alerts within the Apache error_log? -Ryan On 6/23/11 11:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >That stopped logging in both apache error log and modsec audit log. We >want to >log to modsec audit log, but not in apache error logs. > >-Padmaja > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 10:02:41 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >Ok, so you are just looking to create ModSecurity audit logs of the >transactions and not looking at generating alerts/events? What do you >have the SecAuditEngine set to? If it is the default of RelevantOnly then >it will only generate audit logs if the server responds with a relevant >HTTP status code or if a SecRule/SecAction rule matches. If this is the >case, then I would suggest you do the following - > >SecRule SCRIPT_BASENAME "!\.css$" >"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >SecRule SCRIPT_BASENAME "^login\.jsp$" >"phase:1,t:none,nolog,pass,ctl:auditEngine=On" > > >These rules will not generate any alerts themselves but instead will use >the ctl action to force audit logging of the transaction. > >-Ryan > > > >On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>We are trying to log with couple of rules and also trying to implement >>GEO >>rules. >> >># Log: Log everything except html, gif, js and css'es for now, but let >>it >>through (pass) >> >>SecRule SCRIPT_BASENAME "!\.css$" >>SecRule SCRIPT_BASENAME "^login\.jsp$" "log" >> >> >> >>----- Original Message ---- >>From: Ryan Barnett <RBa...@tr...> >>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >><msp...@gm...> >>Cc: "mod...@li..." >><mod...@li...> >>Sent: Thu, June 23, 2011 9:34:29 AM >>Subject: Re: How to disable modsecurity logging in apache logs? >> >>What ruleset are you using? Looks like GotRoot. >> >> >>-Ryan >> >>On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >> >>>We configured Apache with modsecurity and mod security audit and debug >>>logs are >>>in seperate location than apache logs. We set up some rules and every >>>time when >>>we hit rule, it is logging in apache secure logs like shown below and >>>audit logs >>>in detail. We don't want this to log in apache error logs. How to >>>disable >>>this? >>>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>>Any help >>>is appriciated. >>>************************************************************************ >>>* >>>* >>>************************************ >>> >>>Apache error log >>> >>>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>>Warning. >>>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>>"www.abctest.com"] [uri >>>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>>"xDYKHgroWVAAABZ8SA4AAAAm"] >>> >>>Thanks, >>>Padmaja. >>> >>> >> >> >>This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether >>in electronic or hard copy format. >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether > >in electronic or hard copy format. > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Ryan B. <RBa...@tr...> - 2011-06-23 16:15:14
|
It looks like your use of chain is incorrect. These rules will create audit log files and should not log to the Apache error_log file - # Log: Log everything except html, gif, js and css'es for now, but let it through (pass) SecRule SCRIPT_BASENAME "!\.html$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.gif$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.js$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.css$" "phase:1,t:none,pass,nolog,auditlog" -- Ryan Barnett On 6/23/11 11:51 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >That's correct. > >I want to see all sections(ABCIFHZ ) on modsec and not any modsec logs on >apache >error logs. here is my conf setting: > ># Serial audit log >SecAuditEngine RelevantOnly >SecAuditLogRelevantStatus ^2-5 >SecAuditLogParts ABCIFHZ >SecAuditLogType Serial >SecAuditLog /logs//test/audit/modsec_audit.log > >and here are the rules I am using: > ># Log: Log everything except html, gif, js and css'es for now, but let >it >through (pass) >SecRule SCRIPT_BASENAME "!\.html$" "chain,pass,auditlog" >SecRule SCRIPT_BASENAME "!\.gif$" chain >SecRule SCRIPT_BASENAME "!\.js$" chain >SecRule SCRIPT_BASENAME "!\.css$" > >- Padmaja. > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 10:36:20 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >I am still trying to understand your goals. Are you wanting to create >audit log file for those requests but to not generate any alerts within >the Apache error_log? > > >-Ryan > >On 6/23/11 11:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>That stopped logging in both apache error log and modsec audit log. We >>want to >>log to modsec audit log, but not in apache error logs. >> >>-Padmaja >> >> >> >>----- Original Message ---- >>From: Ryan Barnett <RBa...@tr...> >>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >><msp...@gm...> >>Cc: "mod...@li..." >><mod...@li...> >>Sent: Thu, June 23, 2011 10:02:41 AM >>Subject: Re: How to disable modsecurity logging in apache logs? >> >>Ok, so you are just looking to create ModSecurity audit logs of the >>transactions and not looking at generating alerts/events? What do you >>have the SecAuditEngine set to? If it is the default of RelevantOnly >>then >>it will only generate audit logs if the server responds with a relevant >>HTTP status code or if a SecRule/SecAction rule matches. If this is the >>case, then I would suggest you do the following - >> >>SecRule SCRIPT_BASENAME "!\.css$" >>"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >>SecRule SCRIPT_BASENAME "^login\.jsp$" >>"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >> >> >>These rules will not generate any alerts themselves but instead will use >>the ctl action to force audit logging of the transaction. >> >>-Ryan >> >> >> >>On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >> >>>We are trying to log with couple of rules and also trying to implement >>>GEO >>>rules. >>> >>># Log: Log everything except html, gif, js and css'es for now, but let >>>it >>>through (pass) >>> >>>SecRule SCRIPT_BASENAME "!\.css$" >>>SecRule SCRIPT_BASENAME "^login\.jsp$" "log" >>> >>> >>> >>>----- Original Message ---- >>>From: Ryan Barnett <RBa...@tr...> >>>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >>><msp...@gm...> >>>Cc: "mod...@li..." >>><mod...@li...> >>>Sent: Thu, June 23, 2011 9:34:29 AM >>>Subject: Re: How to disable modsecurity logging in apache logs? >>> >>>What ruleset are you using? Looks like GotRoot. >>> >>> >>>-Ryan >>> >>>On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >>> >>>>We configured Apache with modsecurity and mod security audit and debug >>>>logs are >>>>in seperate location than apache logs. We set up some rules and every >>>>time when >>>>we hit rule, it is logging in apache secure logs like shown below and >>>>audit logs >>>>in detail. We don't want this to log in apache error logs. How to >>>>disable >>>>this? >>>>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>>>Any help >>>>is appriciated. >>>>*********************************************************************** >>>>* >>>>* >>>>* >>>>************************************ >>>> >>>>Apache error log >>>> >>>>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>>>Warning. >>>>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>>>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>>>"www.abctest.com"] [uri >>>>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>>>"xDYKHgroWVAAABZ8SA4AAAAm"] >>>> >>>>Thanks, >>>>Padmaja. >>>> >>>> >>> >>> >>>This transmission may contain information that is privileged, >>>confidential, >>>and/or exempt from disclosure under applicable law. If you are not the >>>intended >>>recipient, you are hereby notified that any disclosure, copying, >>>distribution, >>>or use of the information contained herein (including any reliance >>>thereon) is >>>STRICTLY PROHIBITED. If you received this transmission in error, please >>>immediately contact the sender and destroy the material in its entirety, >>>whether >>>in electronic or hard copy format. >>> >> >> >>This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether >> >>in electronic or hard copy format. >> >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether >in electronic or hard copy format. > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-23 16:53:53
|
By changing below, it is not logging the rule in both logs. I want to see the rule is showing is audit log on H section like this but not in apache error log. Message: Warning. Match of "rx \\.css$" against "SCRIPT_BASENAME" required. [file "/tools/httpd/myinstance/conf/modsec.conf"] [line "47"] ----- Original Message ---- From: Ryan Barnett <RBa...@tr...> To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Thu, June 23, 2011 11:15:04 AM Subject: Re: How to disable modsecurity logging in apache logs? It looks like your use of chain is incorrect. These rules will create audit log files and should not log to the Apache error_log file - # Log: Log everything except html, gif, js and css'es for now, but let it through (pass) SecRule SCRIPT_BASENAME "!\.html$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.gif$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.js$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.css$" "phase:1,t:none,pass,nolog,auditlog" -- Ryan Barnett On 6/23/11 11:51 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >That's correct. > >I want to see all sections(ABCIFHZ ) on modsec and not any modsec logs on >apache >error logs. here is my conf setting: > ># Serial audit log >SecAuditEngine RelevantOnly >SecAuditLogRelevantStatus ^2-5 >SecAuditLogParts ABCIFHZ >SecAuditLogType Serial >SecAuditLog /logs//test/audit/modsec_audit.log > >and here are the rules I am using: > ># Log: Log everything except html, gif, js and css'es for now, but let >it >through (pass) >SecRule SCRIPT_BASENAME "!\.html$" "chain,pass,auditlog" >SecRule SCRIPT_BASENAME "!\.gif$" chain >SecRule SCRIPT_BASENAME "!\.js$" chain >SecRule SCRIPT_BASENAME "!\.css$" > >- Padmaja. > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 10:36:20 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >I am still trying to understand your goals. Are you wanting to create >audit log file for those requests but to not generate any alerts within >the Apache error_log? > > >-Ryan > >On 6/23/11 11:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>That stopped logging in both apache error log and modsec audit log. We >>want to >>log to modsec audit log, but not in apache error logs. >> >>-Padmaja >> >> >> >>----- Original Message ---- >>From: Ryan Barnett <RBa...@tr...> >>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >><msp...@gm...> >>Cc: "mod...@li..." >><mod...@li...> >>Sent: Thu, June 23, 2011 10:02:41 AM >>Subject: Re: How to disable modsecurity logging in apache logs? >> >>Ok, so you are just looking to create ModSecurity audit logs of the >>transactions and not looking at generating alerts/events? What do you >>have the SecAuditEngine set to? If it is the default of RelevantOnly >>then >>it will only generate audit logs if the server responds with a relevant >>HTTP status code or if a SecRule/SecAction rule matches. If this is the >>case, then I would suggest you do the following - >> >>SecRule SCRIPT_BASENAME "!\.css$" >>"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >>SecRule SCRIPT_BASENAME "^login\.jsp$" >>"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >> >> >>These rules will not generate any alerts themselves but instead will use >>the ctl action to force audit logging of the transaction. >> >>-Ryan >> >> >> >>On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >> >>>We are trying to log with couple of rules and also trying to implement >>>GEO >>>rules. >>> >>># Log: Log everything except html, gif, js and css'es for now, but let >>>it >>>through (pass) >>> >>>SecRule SCRIPT_BASENAME "!\.css$" >>>SecRule SCRIPT_BASENAME "^login\.jsp$" "log" >>> >>> >>> >>>----- Original Message ---- >>>From: Ryan Barnett <RBa...@tr...> >>>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >>><msp...@gm...> >>>Cc: "mod...@li..." >>><mod...@li...> >>>Sent: Thu, June 23, 2011 9:34:29 AM >>>Subject: Re: How to disable modsecurity logging in apache logs? >>> >>>What ruleset are you using? Looks like GotRoot. >>> >>> >>>-Ryan >>> >>>On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >>> >>>>We configured Apache with modsecurity and mod security audit and debug >>>>logs are >>>>in seperate location than apache logs. We set up some rules and every >>>>time when >>>>we hit rule, it is logging in apache secure logs like shown below and >>>>audit logs >>>>in detail. We don't want this to log in apache error logs. How to >>>>disable >>>>this? >>>>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>>>Any help >>>>is appriciated. >>>>*********************************************************************** >>>>* >>>>* >>>>* >>>>************************************ >>>> >>>>Apache error log >>>> >>>>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>>>Warning. >>>>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>>>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>>>"www.abctest.com"] [uri >>>>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>>>"xDYKHgroWVAAABZ8SA4AAAAm"] >>>> >>>>Thanks, >>>>Padmaja. >>>> >>>> >>> >>> >>>This transmission may contain information that is privileged, >>>confidential, >>>and/or exempt from disclosure under applicable law. If you are not the >>>intended >>>recipient, you are hereby notified that any disclosure, copying, >>>distribution, >>>or use of the information contained herein (including any reliance >>>thereon) is >>>STRICTLY PROHIBITED. If you received this transmission in error, please >>>immediately contact the sender and destroy the material in its entirety, >>>whether >>>in electronic or hard copy format. >>> >> >> >>This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether >> >>in electronic or hard copy format. >> >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether >in electronic or hard copy format. > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Padmaja V. <pad...@ya...> - 2011-06-23 18:08:33
|
below worked to chain all the condition I need is log all --> ! (css || jpeg || html || css) # Log: Log everything except html, gif, js and css'es for now, but let it through (pass) SecRule SCRIPT_BASENAME "!\.html$" "chain,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.gif$" chain SecRule SCRIPT_BASENAME "!\.js$" chain SecRule SCRIPT_BASENAME "!\.jpg$" chain SecRule SCRIPT_BASENAME "!\.css$" Thanks for all the help. ----- Original Message ---- From: Padmaja Vuyyuru <pad...@ya...> To: Ryan Barnett <RBa...@tr...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Thu, June 23, 2011 11:53:46 AM Subject: Re: [mod-security-users] How to disable modsecurity logging in apache logs? By changing below, it is not logging the rule in both logs. I want to see the rule is showing is audit log on H section like this but not in apache error log. Message: Warning. Match of "rx \\.css$" against "SCRIPT_BASENAME" required. [file "/tools/httpd/myinstance/conf/modsec.conf"] [line "47"] ----- Original Message ---- From: Ryan Barnett <RBa...@tr...> To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Thu, June 23, 2011 11:15:04 AM Subject: Re: How to disable modsecurity logging in apache logs? It looks like your use of chain is incorrect. These rules will create audit log files and should not log to the Apache error_log file - # Log: Log everything except html, gif, js and css'es for now, but let it through (pass) SecRule SCRIPT_BASENAME "!\.html$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.gif$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.js$" "phase:1,t:none,pass,nolog,auditlog" SecRule SCRIPT_BASENAME "!\.css$" "phase:1,t:none,pass,nolog,auditlog" -- Ryan Barnett On 6/23/11 11:51 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >That's correct. > >I want to see all sections(ABCIFHZ ) on modsec and not any modsec logs on >apache >error logs. here is my conf setting: > ># Serial audit log >SecAuditEngine RelevantOnly >SecAuditLogRelevantStatus ^2-5 >SecAuditLogParts ABCIFHZ >SecAuditLogType Serial >SecAuditLog /logs//test/audit/modsec_audit.log > >and here are the rules I am using: > ># Log: Log everything except html, gif, js and css'es for now, but let >it >through (pass) >SecRule SCRIPT_BASENAME "!\.html$" "chain,pass,auditlog" >SecRule SCRIPT_BASENAME "!\.gif$" chain >SecRule SCRIPT_BASENAME "!\.js$" chain >SecRule SCRIPT_BASENAME "!\.css$" > >- Padmaja. > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 10:36:20 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >I am still trying to understand your goals. Are you wanting to create >audit log file for those requests but to not generate any alerts within >the Apache error_log? > > >-Ryan > >On 6/23/11 11:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>That stopped logging in both apache error log and modsec audit log. We >>want to >>log to modsec audit log, but not in apache error logs. >> >>-Padmaja >> >> >> >>----- Original Message ---- >>From: Ryan Barnett <RBa...@tr...> >>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >><msp...@gm...> >>Cc: "mod...@li..." >><mod...@li...> >>Sent: Thu, June 23, 2011 10:02:41 AM >>Subject: Re: How to disable modsecurity logging in apache logs? >> >>Ok, so you are just looking to create ModSecurity audit logs of the >>transactions and not looking at generating alerts/events? What do you >>have the SecAuditEngine set to? If it is the default of RelevantOnly >>then >>it will only generate audit logs if the server responds with a relevant >>HTTP status code or if a SecRule/SecAction rule matches. If this is the >>case, then I would suggest you do the following - >> >>SecRule SCRIPT_BASENAME "!\.css$" >>"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >>SecRule SCRIPT_BASENAME "^login\.jsp$" >>"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >> >> >>These rules will not generate any alerts themselves but instead will use >>the ctl action to force audit logging of the transaction. >> >>-Ryan >> >> >> >>On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >> >>>We are trying to log with couple of rules and also trying to implement >>>GEO >>>rules. >>> >>># Log: Log everything except html, gif, js and css'es for now, but let >>>it >>>through (pass) >>> >>>SecRule SCRIPT_BASENAME "!\.css$" >>>SecRule SCRIPT_BASENAME "^login\.jsp$" "log" >>> >>> >>> >>>----- Original Message ---- >>>From: Ryan Barnett <RBa...@tr...> >>>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >>><msp...@gm...> >>>Cc: "mod...@li..." >>><mod...@li...> >>>Sent: Thu, June 23, 2011 9:34:29 AM >>>Subject: Re: How to disable modsecurity logging in apache logs? >>> >>>What ruleset are you using? Looks like GotRoot. >>> >>> >>>-Ryan >>> >>>On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >>> >>>>We configured Apache with modsecurity and mod security audit and debug >>>>logs are >>>>in seperate location than apache logs. We set up some rules and every >>>>time when >>>>we hit rule, it is logging in apache secure logs like shown below and >>>>audit logs >>>>in detail. We don't want this to log in apache error logs. How to >>>>disable >>>>this? >>>>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>>>Any help >>>>is appriciated. >>>>*********************************************************************** >>>>* >>>>* >>>>* >>>>************************************ >>>> >>>>Apache error log >>>> >>>>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>>>Warning. >>>>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>>>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>>>"www.abctest.com"] [uri >>>>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>>>"xDYKHgroWVAAABZ8SA4AAAAm"] >>>> >>>>Thanks, >>>>Padmaja. >>>> >>>> >>> >>> >>>This transmission may contain information that is privileged, >>>confidential, >>>and/or exempt from disclosure under applicable law. If you are not the >>>intended >>>recipient, you are hereby notified that any disclosure, copying, >>>distribution, >>>or use of the information contained herein (including any reliance >>>thereon) is >>>STRICTLY PROHIBITED. If you received this transmission in error, please >>>immediately contact the sender and destroy the material in its entirety, >>>whether >>>in electronic or hard copy format. >>> >> >> >>This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether >> >>in electronic or hard copy format. >> >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether >in electronic or hard copy format. > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |