Search code examples
apachemod-securitymod-security2

How to configuration Modsecurity logs?

I think it's too much detail. I installed it on windows 7 and using apache server.

https://i.sstatic.net/F55Yp.jpg

https://i.sstatic.net/V09JL.jpg

https://i.sstatic.net/Lg7pd.jpg

https://i.sstatic.net/YHjKH.jpg

https://i.sstatic.net/rF9dw.jpg

Solution

  • CRS developer here. It's true that the logs by default contain a lot of information. Maybe you can be helped by using JSON as a log format. You can do this by adding:

    SecAuditLogFormat JSON

    to your mod_security.conf file. (Note: I have no Windows experience so I don't know the exact name and location of the config file).

    Then, the log will contain one JSON object per line for every logged event. You can use the jq utility to pretty-print the JSON or to select only the interesting parts.

    For instance, if you want to see only the matched rule messages, you can use jq like this:

    curl 'https://sandbox.coreruleset.org/?test=posix_uname(123)' | jq .audit_data.messages

[
  "Warning. Matched phrase \"posix_uname\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf\"] [line \"294\"] [id \"933150\"] [msg \"PHP Injection Attack: High-Risk PHP Function Name Found\"] [data \"Matched Data: posix_uname found within ARGS:test: posix_uname(123)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-php\"] [tag \"platform-multi\"] [tag \"attack-injection-php\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/242\"]",
  "Warning. Operator GE matched 5 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"93\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"]",
  "Unconditional match in SecAction. [file \"/etc/modsecurity.d/crs-demo-setvar.conf\"] [line \"11\"] [id \"100000\"] [tag \"modsecurity\"]",
  "Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"91\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"event-correlation\"]"
]