praveensameneni
commented
2 months ago @sandervandegeijn , Have you tried custom logs feature with custom rules that you can create or copy from an existing rule to have the same desired effect?
Open sandervandegeijn opened 1 year ago
praveensameneni
commented
2 months ago @sandervandegeijn , Have you tried custom logs feature with custom rules that you can create or copy from an existing rule to have the same desired effect?
sandervandegeijn
commented
2 months ago I could implement the rules myself, but it would be nice these general log category would be supported out of the box detecting webbased attacks. The current apache2 rules do not do this :)
praveensameneni
commented
2 months ago ok, we do not have anything in our roadmap to create rules, but understand the use case and need for it.
Is your feature request related to a problem? There is a Apache log detector that looks for specific Apache faults. Web server access logs in general can also be used to detect attacks, i.e. by scanning the query string, the number of non-200's generated by a single client, etc. Suricata does this in part for unencrypted traffic.
Almost every web server gives you the same basic details of a web request. This should work for Apache/Nginx/IIS/F5 load balancer logs/etc.
What solution would you like? Implement detection rules for web server access logs
What alternatives have you considered? Suricata detection (but it isn't a catch all solution because of TLS)
Do you have any additional context? Add any other context or screenshots about the feature request here.