Open amsnek opened 1 year ago
Hey @amsnek , actually, Coraza supports a format called JSONLEGACY that is compatible with ModSecurity. https://github.com/corazawaf/coraza/blob/4f30afeca2b6cf48f8cd73acd80b072721172782/internal/auditlog/legacy.go#L9
Just replace the JSON format in SecAuditLogFormat
with JSONLEGACY.
SecAuditLogFormat JSONLEGACY
SecAuditLogFormat JSONLEGACY
Hey @jptosso I tried with "SecAuditLogFormat JSONLEGACY" but the output did not change at all? 🤔
{
"transaction": {
"time": "2023/08/07 10:02:15",
"transaction_id": "c6c51035-6dc0-4edf-9e27-f9328397f04d",
"remote_address": "127.0.0.1",
"remote_port": 44113,
"local_address": "127.0.0.1",
"local_port": 80
},
"request": {
"request_line": " ",
"headers": {
"accept": "*/*",
"host": "127.0.0.1",
"user-agent": "curl/7.61.1"
}
},
"response": {
"status": 0,
"protocol": "",
"headers": {}
},
"audit_data": {
"messages": null,
"error_messages": null,
"handler": "",
"stopwatch": {
"Combined": 0,
"P1": 0,
"P2": 0,
"P3": 0,
"P4": 0,
"P5": 0,
"Sr": 0,
"Sw": 0,
"L": 0,
"Gc": 0
},
"response_body_dechunked": false,
"producer": [
"OWASP_CRS/4.0.0-rc1"
],
"server": "",
"engine_mode": "On"
}
}
Apparently jsonlegacy is using modsecurity 2 format. We would need another JSON formatter for libmodsecurity
modsecurity2 was only "partial json". libmodsecurity3 implemented full json support. a "full" json formatter for libmodsecurity would be most usefull.
Up to work on this @amsnek ?
hey @jcchavezs as mentioned in the august 2023 meeting, sadly I do not have the required skills to implement this :(
Just to keep tracking the evolution of this issue: https://github.com/corazawaf/coraza/pull/968 implemented some missing information
Summary
Corazas current AuditLog format in json has empty values for important fields and is overall less detailed compared to libmodsecurity3. Since the stated goal is to be a "drop in replacement" for modsecurity, logging parity would be beneficial.
Basic example
Below are AuditLogs from coraza-spoa ccompared to libmodsecurity3 with the following http request intended to trigger the WAF. curl -v http://127.0.0.100/?x\=/etc/passwd
AuditLog generated from coraza-spoa
There are details in coraza-spoa default error log but this is only partially json and not compareable to the auditlog:
AuditLog from libmodsecurity3
Motivation
Detailed Logs in JSON format make it easy to store and analyze the logs in tools like elasticsearch or similiar. This increases the visibility of attacks, aids with filtering of false positives and greatly improves overall usefullness.