[Owasp-modsecurity-core-rule-set] CRS3-RC1 not working on Apache 2.2

Christian Folini christian.folini at netnea.com
Mon Aug 22 10:46:16 UTC 2016


Hello,

On Mon, Aug 22, 2016 at 11:39:59AM +0200, Jens Schleusener wrote:
> As said that is very laborious if there hundred of entries. Often
> one had to analyze additionally the big Apache access log to find
> out the further behaviour of an suspicious IP and classify the
> according requests as "good" or "bad".

Yep. That's the problem exactly.

> Helpful would be a general program or script that can grep blocks of
> lines given a main target pattern and two further patterns
> specifying the begin and the end of the block. I just write a very
> primitive one that allows for e.g. via
> 
>  grep_blocks_by_sed -p 'id "921140"' \
>    -b '^--[0-9a-f]*-A--' -e '^--[0-9a-f]*-Z--' modsec_audit.log

You may want to look into csplit.

Personally, I hardly work with the auditlog. I concentrate on the
errorlog where I fetch ruleid, IPs and unique-ids. I grep for the IP
and the unique id in the access-log and display sessions with the
al-group of aliases in my alias-collection. Usually
altimestatusmethodpath.

Example:

$> grep 941160 error.log | melip | while read IP; do \
   echo "*** $IP ****"; \
   grep $IP folinic.access-not-null | altimestatusmethodpath ; done 

...
*** 000.000.33.201 ****
[2016-08-15 09:20:26.666687] 302 POST /de/node/35876/edit
[2016-08-15 09:21:13.160125] 200 POST /de/system/ajax
[2016-08-15 09:21:19.746708] 302 POST /de/node/35876/edit/de
[2016-08-15 09:23:00.658298] 200 POST /de/system/ajax
[2016-08-15 09:23:07.598479] 302 POST /de/node/35876/edit/fr
[2016-08-15 09:23:52.093165] 200 POST /de/system/ajax
[2016-08-15 09:23:58.916953] 302 POST /de/node/35876/edit/it
[2016-08-15 09:24:54.378965] 200 POST /de/system/ajax
[2016-08-15 09:25:00.475736] 302 POST /de/node/35876/edit/en-gb
[2016-08-15 12:26:26.784170] 200 POST /de/plupload-handle-uploads?...
[2016-08-15 12:26:28.898396] 200 GET /de/admin/content/file/...
[2016-08-15 12:27:28.803916] 200 POST /de/media/ajax/field_header_...
[2016-08-15 12:27:35.067760] 302 POST /de/node/36269/edit
[2016-08-15 12:27:51.742488] 200 POST /de/media/ajax/field_header_...
...

That's a fairly coarse approach. But this example would give me a
overview what the sessions involving violations of 941160 are up to.
If I browse over the various IPs, I get a feeling for the application
and what seems to be standard behaviour and what not.

However, the reasonable approach is of course to look for false
positives in traffic where you _know_ there is not attack traffic
interwoven and every alert guaranteed to be a false positive. 
That approach does not quite work out in the real world a lot of the 
time, though.

If you find stuff where you are sure it is a false positive, then please
open github issues. Especially in the default install with paranoia
level 1. In the higher paranoia levels you should anticipate more and
more false positives.

Ahoj,

Christian


-- 
A great swindle of our time is the assumption that science has made
religion obsolete. All science has damaged is the story of Adam and Eve
and the story of Jonah and the Whale.
-- Kurt Vonnegut


More information about the Owasp-modsecurity-core-rule-set mailing list