[Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events

Wesley Render wrender at otherdata.com
Mon Aug 25 22:20:04 UTC 2014


I was just wanting to follow up.  Is anyone able to confirm the proper
logging settings when using ModSecurity, and sending the logs out via mlogc
to AuditConsole?  Should we have our modsecurity_crs_10_setup.conf
SecDefaultAction lines set to the following?

SecDefaultAction "phase:1,pass,nolog"
SecDefaultAction "phase:2,pass,nolog"

Thanks!


Wesley Render, IT Consultant, RHCSA
Phone: 1.403.228.1221 ext 201
www.otherdata.com


-----Original Message-----
From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org
[mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf
Of Wesley Render
Sent: August-20-14 11:30 AM
To: 'OWASP Mod Security'
Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level -
Only send critical events

When I set it to the following, I get a lot less logs coming in.  I am
confused on how it should be set as well when sending logs to AuditConsole
using mlogc.  Here is a summary of relevant settings I have right now
(below).   I guess it seems as though the logging settings are not able to
combine one correlated event into the audit log.  They can only combine one
correlated event into the apache error_log?


############  modsecurity_crs_10_setup.conf  Settings
##########################

# Collaborative Detection Mode
SecDefaultAction "phase:1,pass,nolog"
SecDefaultAction "phase:2,pass,nolog"


# Collaborative Detection Blocking #
SecAction \
  "id:'900004', \
  phase:1, \
  t:none, \
  setvar:tx.anomaly_score_blocking=on, \
  nolog, \
  pass"


############ modsec2.user.conf  Settings
######################################
SecDataDir /usr/local/apache/conf/sec-data
SecTmpDir /usr/local/apache/conf/sec-tmp

SecRuleEngine On
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000

# With SecRequestBodyAccess turned on care needs to be taken with false
positives
SecRequestBodyAccess On
SecRequestBodyLimit 134217728
SecRequestBodyLimitAction ProcessPartial
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072

SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524228
SecResponseBodyLimitAction ProcessPartial
SecServerSignature Apache
SecCookieFormat 0

# Additional ModSecurity Logging Options for mlogc
# Use ReleventOnly auditing
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Must use concurrent logging
SecAuditLogType Concurrent

# Send all audit log parts
SecAuditLogParts ABDEFHIJKZ

# Use the same /CollectorRoot/LogStorageDir as in mlogc.conf
SecAuditLogStorageDir /var/log/mlogc/data

# Pipe audit log to mlogc with your configuration
SecAuditLog "|/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf"

# OWASP Rules
Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Include conf/owasp-modsecurity-crs/activated_rules/*.conf

# Trustwave Commercial Rules
Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf


Wesley Render, IT Consultant, RHCSA
Phone: 1.403.228.1221 ext 201
www.otherdata.com


-----Original Message-----
From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org
[mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf
Of Earl Fogel
Sent: August-20-14 9:59 AM
To: OWASP Mod Security
Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level -
Only send critical events

I have this problem as well.  I also have:

SecDefaultAction "phase:1,pass,nolog,auditlog"
SecDefaultAction "phase:2,pass,nolog,auditlog"
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

Could that be relevent?  How should these be set in collaborative detection
mode?

Earl
-


On Wed, 20 Aug 2014, Josh Amishav-Zlatin <jamuse at owasp.org> wrote:

>On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render <wrender at otherdata.com>
wrote:
>
>      Would anyone know if it would be possible to adjust the core rule set
>      configuration file so that only events that have a total inbound
score of
>      5 or higher are sent to the audit log.  (Running in Collaborative
>      Detection and Anomaly Scoring & Blocking)  Version:
SecComponentSignature
>      "OWASP_CRS/2.2.9"
>
>
>Hi Wesley,
>
>When the CRS is used in anomaly mode it should not create audit logs 
>unless the event passes the threshold set in the 10 file. Can you send 
>me privately an event from AuditConsole that does not have an anomaly 
>score level above 5? I'm specifically interested in sections H and K.
>
>- Josh
>
>


_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set



More information about the Owasp-modsecurity-core-rule-set mailing list