[Owasp-modsecurity-core-rule-set] Anyone using the Correlated Event Data?

Ryan Barnett RBarnett at trustwave.com
Fri Oct 8 09:27:55 EDT 2010

As I am receiving ModSec CRS Event Stats from the community (thanks to everyone who is helping with this effort), I am seeing many of the new inbound/outbound event correlation entries being generated.  Here is an example -

Correlated Successful Attack Identified: (Total Score: 25, SQLi=, XSS=) Inbound Attack (SQL Injection Attack - Inbound Anomaly Score: 25) + Outbound Data Leakage (SQL Information Leakage - Outbound
Anomaly Score: 30)

>From the Documentation link on the project site -

Inbound/Outbound Correlation
After the transaction has completed (in the logging phase), the rules in the base_rules/modsecurity_crs_60_correlation.conf file will conduct further post-processing by analyzing any inbound events with any outbound events in order to provide a more intelligent/priority correlated event.

- Was there an inbound attack?
- Was there an HTTP Status Code Error (4xx/5xx level)?
- Was there an application information leak?

If an inbound attack was detected and either an outbound application status code error or infolead was detected, then the overall event severity is raised -

- 0: Emergency - is generated from correlation where there is an inbound attack and   an outbound leakage.
- 1: Alert - is generated from correlation where there is an inbound attack and an outbound application level error.

A question for the community, the rationale for adding in the inbound/outbound correlation concept was to try and help users to prioritize alert investigations.  Obviously, the correlated events should be looked at first!  Is anyone actually using this feature?  Has it helped you with doing incident response, etc...?

Please let me know as I would love to hear real user feedback on this.


More information about the Owasp-modsecurity-core-rule-set mailing list