如何配置 Modsecurity 日志?
How to configuration Modsecurity logs?
我觉得太详细了。我在 windows 7 上安装它并使用 apache 服务器。
https://i.stack.imgur.com/F55Yp.jpg
https://i.stack.imgur.com/V09JL.jpg
https://i.stack.imgur.com/Lg7pd.jpg
https://i.stack.imgur.com/YHjKH.jpg
https://i.stack.imgur.com/rF9dw.jpg
这里是 CRS 开发人员。的确,默认情况下日志包含很多信息。也许可以通过使用 JSON 作为日志格式来帮助您。您可以通过添加:
SecAuditLogFormat JSON
到您的 mod_security.conf 文件。 (注意:我没有 Windows 经验,所以我不知道配置文件的确切名称和位置)。
然后,日志将为每个记录的事件每行包含一个 JSON 对象。您可以使用 jq 实用程序 pretty-print JSON 或 select 仅感兴趣的部分。
例如,如果您只想查看匹配的规则消息,您可以这样使用 jq:
curl 'https://sandbox.coreruleset.org/?test=posix_uname(123)' | jq .audit_data.messages
[
"Warning. Matched phrase \"posix_uname\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf\"] [line \"294\"] [id \"933150\"] [msg \"PHP Injection Attack: High-Risk PHP Function Name Found\"] [data \"Matched Data: posix_uname found within ARGS:test: posix_uname(123)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-php\"] [tag \"platform-multi\"] [tag \"attack-injection-php\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/242\"]",
"Warning. Operator GE matched 5 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"93\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"]",
"Unconditional match in SecAction. [file \"/etc/modsecurity.d/crs-demo-setvar.conf\"] [line \"11\"] [id \"100000\"] [tag \"modsecurity\"]",
"Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"91\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"event-correlation\"]"
]
我觉得太详细了。我在 windows 7 上安装它并使用 apache 服务器。
https://i.stack.imgur.com/F55Yp.jpg
https://i.stack.imgur.com/V09JL.jpg
https://i.stack.imgur.com/Lg7pd.jpg
https://i.stack.imgur.com/YHjKH.jpg
https://i.stack.imgur.com/rF9dw.jpg
这里是 CRS 开发人员。的确,默认情况下日志包含很多信息。也许可以通过使用 JSON 作为日志格式来帮助您。您可以通过添加:
SecAuditLogFormat JSON
到您的 mod_security.conf 文件。 (注意:我没有 Windows 经验,所以我不知道配置文件的确切名称和位置)。
然后,日志将为每个记录的事件每行包含一个 JSON 对象。您可以使用 jq 实用程序 pretty-print JSON 或 select 仅感兴趣的部分。
例如,如果您只想查看匹配的规则消息,您可以这样使用 jq:
curl 'https://sandbox.coreruleset.org/?test=posix_uname(123)' | jq .audit_data.messages
[
"Warning. Matched phrase \"posix_uname\" at ARGS:test. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf\"] [line \"294\"] [id \"933150\"] [msg \"PHP Injection Attack: High-Risk PHP Function Name Found\"] [data \"Matched Data: posix_uname found within ARGS:test: posix_uname(123)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-php\"] [tag \"platform-multi\"] [tag \"attack-injection-php\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/242\"]",
"Warning. Operator GE matched 5 at TX:anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"93\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"]",
"Unconditional match in SecAction. [file \"/etc/modsecurity.d/crs-demo-setvar.conf\"] [line \"11\"] [id \"100000\"] [tag \"modsecurity\"]",
"Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"91\"] [id \"980130\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\"] [ver \"OWASP_CRS/3.3.2\"] [tag \"modsecurity\"] [tag \"event-correlation\"]"
]