owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.21k stars 1.6k forks source link

Tracking all traffic for further analysis through ELK-Stack #2778

Closed deniskonovalov64 closed 2 years ago

deniskonovalov64 commented 2 years ago

Hello, I don't know where to ask this question. Is it possible for ModSecurity to track all traffic (not just the response record) passing through it? If not, is it possible to do this? And do you have any plans to organize this?

martinhsv commented 2 years ago

Hello @deniskonovalov64 ,

I'm not sure I understand your question.

If by "track" you mean have entries created in ModSecurity's audit log, then an HTTP transaction can have information included there for both its request and its response. If you are using 'SecAuditEngine RelevantOnly', then only some transactions will produce output there. If you use 'SecAuditEngine On', then ModSecurity will log all transactions.

deniskonovalov64 commented 2 years ago

Hello @martinhsv , thanks for your answer, this is exactly what I was looking for. I apologize for this. (

And I'll ask as soon as I have a chance. Will the data output via JSON in the audit log change or change?

There are these lines: "ruleId": "920280", "file": "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", Is it possible to add another value that would look like this: "attack type" : "PROTOCOL-ENFORCEMENT" or "attack type" : "REQUEST-920-PROTOCOL-ENFORCEMENT"

Here's how it might look to illustrate:

"messages": [{
                "message": "Request Missing a Host Header",
                "details": {
                    "match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Host' (Value: `0' )",
                    "reference": "",
                    "ruleId": "920280",
                    "file": "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
                    "attack type" : "REQUEST-920-PROTOCOL-ENFORCEMENT",
                    "lineNumber": "532",
                    "data": "",
                    "severity": "4",
                    "ver": "OWASP_CRS/3.3.2",
                    "rev": "",
                    "tags": ["application-multi", "language-multi", "platform-multi", "attack-protocol", "paranoia-level/1", "OWASP_CRS", "capec/1000/210/272", "PCI/6.5.10"],
                    "maturity": "0",
                    "accuracy": "0"
                }
            }
        ]

Thanks in advance.

martinhsv commented 2 years ago

There is no current mechanism to add arbitrary top-level detail items to audit log reports in the way that you have illustrated.

However, if you want to add classification data or any other metadata about a triggered rule to the output, the existing "tag" action is intended for that purpose. Indeed, for the example that you have chosen, the CRS rule is already including "attack-protocol".

deniskonovalov64 commented 2 years ago

Understood, thanks for your answer. I close the question.