[Owasp-modsecurity-core-rule-set] [mod-security-users] Call for Assistance: ModSecurity/CRS Event Data Statistics

Christian Bockermann chris at jwall.org
Mon Oct 4 19:12:31 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

sounds like a nice plan by Ryan.

I just extended my jwall-tools package to provide the information you requested (either by
applying it onto a serial audit-log file or by applying it to a directory in which case it will
recursively scan for audit-event data files).

@Ryan:
Right now, the tools just output the data in plain text. I plan to provide the data in CSV format
and XML format as well and though about providing an auto-upload function to push the data to
a statistics-service (anonymously, of course).
(If you're interested in working on that jointly, just drop me a line)


The updated jwall-tools can be found at:

	https://secure.jwall.org/download/jwall-tools.jar

The md5-checksum of that file is 4cc35f5d07d6503357907473307e7609
These updates jwall-tools contain a new command "stats" which can be issued as:

     java -jar jwall-tools.jar stats /path/to/audit.log
or 
     java -jar jwall-tools.jar stats /path/to/concurrent/audit/dir


The following is given as output of the above command:


[chris at jwall: ~]$  java -jar jwall-tools.jar stats audit.log
..............................................................................................................................................................................................................................................................................................................................................................
53754 events processed in 16 seconds.
Event date range from 02/26/2010 08:00 to 09/03/2010 08:33.

- ------------------------------------------------------
Rule Messages:
       118   Detects JavaScript location/document property access and window access obfuscation
       114   Detects common XSS concatenation patterns 1/2
        51   The application is not available
        27   Detects possible includes and typical script methods
        24   Invalid request
        23   Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.
        21   Request Missing an Accept Header
        20   Detects common XSS concatenation patterns 2/2
        17   Detects obfuscated JavaScript script injections
        14   Comment Evasion Attempt7
        13   Detects self-executing JavaScript functions
         8   Detects data: URL injections, VBS injections and common URI schemes
         7   Detects JavaScript with(), ternary operators and XML predicate attacks
         7   Detects basic directory traversal
         5   Detects JavaScript object properties and methods
         5   Detects common function declarations and special JS operators
         5   Detects self
         4   Detects JavaScript language constructs
         4   Detects nullbytes and other dangerous characters
         2   Host header is a numeric IP address

- ------------------------------------------------------
Rule-IDs:
        67   phpids-3
        57   phpids-30
        35   phpids-2
        30   phpids-23
        21   960015
        17   970901
        15   phpids-1
        13   phpids-16
        12   960913
        12   phpids-31
         8   hpp-1
         7   phpids-27
         7   phpids-7
         5   phpids-25
         5   phpids-8
         4   phpids-converter-comment-evasion
         3   phpids-10
         3   phpids-20
         2   960017
         2   phpids-39
         1   phpids-17
         1   phpids-6
         1   phpids-62

- ------------------------------------------------------
Tags:
        21   PROTOCOL_VIOLATION/MISSING_HEADER
         2   PROTOCOL_VIOLATION/IP_HOST
- ------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFMql9fpc5/RcXDlTwRAjAIAJ9Ir67ie/BhHvk/q/iKVHxzbJKGwACeK5/1
/4G55FMohjj4DxZVCdjpyGg=
=pMZK
-----END PGP SIGNATURE-----


More information about the Owasp-modsecurity-core-rule-set mailing list