[Owasp-modsecurity-core-rule-set] [mod-security-users] Call for Assistance: ModSecurity/CRS Event Data Statistics

Ryan Barnett RBarnett at trustwave.com
Mon Oct 4 22:03:40 EDT 2010


This is a great addition Christian!  Yeah, let's chat about posting this data to a stats service that we can host on the ModSecurity site. 

Sent from my iPhone

On Oct 4, 2010, at 7:12 PM, "Christian Bockermann" <chris at jwall.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all,
> 
> sounds like a nice plan by Ryan.
> 
> I just extended my jwall-tools package to provide the information you requested (either by
> applying it onto a serial audit-log file or by applying it to a directory in which case it will
> recursively scan for audit-event data files).
> 
> @Ryan:
> Right now, the tools just output the data in plain text. I plan to provide the data in CSV format
> and XML format as well and though about providing an auto-upload function to push the data to
> a statistics-service (anonymously, of course).
> (If you're interested in working on that jointly, just drop me a line)
> 
> 
> The updated jwall-tools can be found at:
> 
>    https://secure.jwall.org/download/jwall-tools.jar
> 
> The md5-checksum of that file is 4cc35f5d07d6503357907473307e7609
> These updates jwall-tools contain a new command "stats" which can be issued as:
> 
>     java -jar jwall-tools.jar stats /path/to/audit.log
> or 
>     java -jar jwall-tools.jar stats /path/to/concurrent/audit/dir
> 
> 
> The following is given as output of the above command:
> 
> 
> [chris at jwall: ~]$  java -jar jwall-tools.jar stats audit.log
> ..............................................................................................................................................................................................................................................................................................................................................................
> 53754 events processed in 16 seconds.
> Event date range from 02/26/2010 08:00 to 09/03/2010 08:33.
> 
> - ------------------------------------------------------
> Rule Messages:
>       118   Detects JavaScript location/document property access and window access obfuscation
>       114   Detects common XSS concatenation patterns 1/2
>        51   The application is not available
>        27   Detects possible includes and typical script methods
>        24   Invalid request
>        23   Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.
>        21   Request Missing an Accept Header
>        20   Detects common XSS concatenation patterns 2/2
>        17   Detects obfuscated JavaScript script injections
>        14   Comment Evasion Attempt7
>        13   Detects self-executing JavaScript functions
>         8   Detects data: URL injections, VBS injections and common URI schemes
>         7   Detects JavaScript with(), ternary operators and XML predicate attacks
>         7   Detects basic directory traversal
>         5   Detects JavaScript object properties and methods
>         5   Detects common function declarations and special JS operators
>         5   Detects self
>         4   Detects JavaScript language constructs
>         4   Detects nullbytes and other dangerous characters
>         2   Host header is a numeric IP address
> 
> - ------------------------------------------------------
> Rule-IDs:
>        67   phpids-3
>        57   phpids-30
>        35   phpids-2
>        30   phpids-23
>        21   960015
>        17   970901
>        15   phpids-1
>        13   phpids-16
>        12   960913
>        12   phpids-31
>         8   hpp-1
>         7   phpids-27
>         7   phpids-7
>         5   phpids-25
>         5   phpids-8
>         4   phpids-converter-comment-evasion
>         3   phpids-10
>         3   phpids-20
>         2   960017
>         2   phpids-39
>         1   phpids-17
>         1   phpids-6
>         1   phpids-62
> 
> - ------------------------------------------------------
> Tags:
>        21   PROTOCOL_VIOLATION/MISSING_HEADER
>         2   PROTOCOL_VIOLATION/IP_HOST
> - ------------------------------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> 
> iD8DBQFMql9fpc5/RcXDlTwRAjAIAJ9Ir67ie/BhHvk/q/iKVHxzbJKGwACeK5/1
> /4G55FMohjj4DxZVCdjpyGg=
> =pMZK
> -----END PGP SIGNATURE-----
> 



More information about the Owasp-modsecurity-core-rule-set mailing list