[Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events

Wesley Render wrender at otherdata.com
Wed Aug 27 21:04:27 UTC 2014


I am trying to send only correlated events that are Total Inbound 5+ to
mlogc.  When I set the SecDefaultAction for phase1 and phase2 to "pass,log"
or to "nolog,auditlog" it seems to send all events, even ones that are under
TX  5 to the mlogc.

When I set it to "pass,nolog" it seems to only send events that are Total
Inbound 5+ to the mlogc.  This is what I want, but "pass,nolog" is not one
of the options listed in the section "Alert Logging Control" so I am just
not sure if having it set to nolog is the correct method when sending
correlated/anomaly events to mlogc.

Regards,

Wesley Render, IT Consultant, RHCSA
Phone: 1.403.228.1221 ext 201
www.otherdata.com


-----Original Message-----
From: Ryan Barnett [mailto:RBarnett at trustwave.com] 
Sent: August-27-14 1:55 PM
To: Wesley Render; owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level -
Only send critical events

Wesley,
What exactly are you trying to achieve here?

Ryan Barnett
Senior Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>




On 8/25/14 6:20 PM, "Wesley Render" <wrender at otherdata.com> wrote:

>I was just wanting to follow up.  Is anyone able to confirm the proper 
>logging settings when using ModSecurity, and sending the logs out via 
>mlogc to AuditConsole?  Should we have our 
>modsecurity_crs_10_setup.conf SecDefaultAction lines set to the 
>following?
>
>SecDefaultAction "phase:1,pass,nolog"
>SecDefaultAction "phase:2,pass,nolog"
>
>Thanks!
>
>
>Wesley Render, IT Consultant, RHCSA
>Phone: 1.403.228.1221 ext 201
>www.otherdata.com
>
>
>-----Original Message-----
>From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org
>[mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On 
>Behalf Of Wesley Render
>Sent: August-20-14 11:30 AM
>To: 'OWASP Mod Security'
>Subject: Re: [Owasp-modsecurity-core-rule-set] 
>inbound_anomaly_score_level - Only send critical events
>
>When I set it to the following, I get a lot less logs coming in.  I am 
>confused on how it should be set as well when sending logs to 
>AuditConsole using mlogc.  Here is a summary of relevant settings I have
right now
>(below).   I guess it seems as though the logging settings are not able to
>combine one correlated event into the audit log.  They can only combine 
>one correlated event into the apache error_log?
>
>
>############  modsecurity_crs_10_setup.conf  Settings 
>##########################
>
># Collaborative Detection Mode
>SecDefaultAction "phase:1,pass,nolog"
>SecDefaultAction "phase:2,pass,nolog"
>
>
># Collaborative Detection Blocking #
>SecAction \
>  "id:'900004', \
>  phase:1, \
>  t:none, \
>  setvar:tx.anomaly_score_blocking=on, \
>  nolog, \
>  pass"
>
>
>############ modsec2.user.conf  Settings 
>######################################
>SecDataDir /usr/local/apache/conf/sec-data SecTmpDir 
>/usr/local/apache/conf/sec-tmp
>
>SecRuleEngine On
>SecPcreMatchLimit 50000
>SecPcreMatchLimitRecursion 50000
>
># With SecRequestBodyAccess turned on care needs to be taken with false 
>positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 
>SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 
>131072 SecRequestBodyInMemoryLimit 131072
>
>SecResponseBodyAccess On
>SecResponseBodyMimeType (null) text/html text/plain text/xml 
>SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial 
>SecServerSignature Apache SecCookieFormat 0
>
># Additional ModSecurity Logging Options for mlogc # Use ReleventOnly 
>auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus 
>"^(?:5|4(?!04))"
>
># Must use concurrent logging
>SecAuditLogType Concurrent
>
># Send all audit log parts
>SecAuditLogParts ABDEFHIJKZ
>
># Use the same /CollectorRoot/LogStorageDir as in mlogc.conf 
>SecAuditLogStorageDir /var/log/mlogc/data
>
># Pipe audit log to mlogc with your configuration SecAuditLog 
>"|/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf"
>
># OWASP Rules
>Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
>Include conf/owasp-modsecurity-crs/activated_rules/*.conf
>
># Trustwave Commercial Rules
>Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf
>
>
>Wesley Render, IT Consultant, RHCSA
>Phone: 1.403.228.1221 ext 201
>www.otherdata.com
>
>
>-----Original Message-----
>From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org
>[mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On 
>Behalf Of Earl Fogel
>Sent: August-20-14 9:59 AM
>To: OWASP Mod Security
>Subject: Re: [Owasp-modsecurity-core-rule-set] 
>inbound_anomaly_score_level - Only send critical events
>
>I have this problem as well.  I also have:
>
>SecDefaultAction "phase:1,pass,nolog,auditlog"
>SecDefaultAction "phase:2,pass,nolog,auditlog"
>SecAuditEngine RelevantOnly
>SecAuditLogRelevantStatus "^(?:5|4(?!04))"
>
>Could that be relevent?  How should these be set in collaborative 
>detection mode?
>
>Earl
>-
>
>
>On Wed, 20 Aug 2014, Josh Amishav-Zlatin <jamuse at owasp.org> wrote:
>
>>On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render <wrender at otherdata.com>
>wrote:
>>
>>      Would anyone know if it would be possible to adjust the core 
>>rule set
>>      configuration file so that only events that have a total inbound
>score of
>>      5 or higher are sent to the audit log.  (Running in Collaborative
>>      Detection and Anomaly Scoring & Blocking)  Version:
>SecComponentSignature
>>      "OWASP_CRS/2.2.9"
>>
>>
>>Hi Wesley,
>>
>>When the CRS is used in anomaly mode it should not create audit logs 
>>unless the event passes the threshold set in the 10 file. Can you send 
>>me privately an event from AuditConsole that does not have an anomaly 
>>score level above 5? I'm specifically interested in sections H and K.
>>
>>- Josh
>>
>>
>
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list 
>Owasp-modsecurity-core-rule-set at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-se
>t
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list 
>Owasp-modsecurity-core-rule-set at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-se
>t


________________________________

This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.



More information about the Owasp-modsecurity-core-rule-set mailing list