Closed deniskonovalov64 closed 2 years ago
Hello @deniskonovalov64 ,
I'm not sure I understand your question.
If by "track" you mean have entries created in ModSecurity's audit log, then an HTTP transaction can have information included there for both its request and its response. If you are using 'SecAuditEngine RelevantOnly', then only some transactions will produce output there. If you use 'SecAuditEngine On', then ModSecurity will log all transactions.
Hello @martinhsv , thanks for your answer, this is exactly what I was looking for. I apologize for this. (
And I'll ask as soon as I have a chance. Will the data output via JSON in the audit log change or change?
There are these lines: "ruleId": "920280", "file": "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", Is it possible to add another value that would look like this: "attack type" : "PROTOCOL-ENFORCEMENT" or "attack type" : "REQUEST-920-PROTOCOL-ENFORCEMENT"
Here's how it might look to illustrate:
"messages": [{
"message": "Request Missing a Host Header",
"details": {
"match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Host' (Value: `0' )",
"reference": "",
"ruleId": "920280",
"file": "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"attack type" : "REQUEST-920-PROTOCOL-ENFORCEMENT",
"lineNumber": "532",
"data": "",
"severity": "4",
"ver": "OWASP_CRS/3.3.2",
"rev": "",
"tags": ["application-multi", "language-multi", "platform-multi", "attack-protocol", "paranoia-level/1", "OWASP_CRS", "capec/1000/210/272", "PCI/6.5.10"],
"maturity": "0",
"accuracy": "0"
}
}
]
Thanks in advance.
There is no current mechanism to add arbitrary top-level detail items to audit log reports in the way that you have illustrated.
However, if you want to add classification data or any other metadata about a triggered rule to the output, the existing "tag" action is intended for that purpose. Indeed, for the example that you have chosen, the CRS rule is already including "attack-protocol".
Understood, thanks for your answer. I close the question.
Hello, I don't know where to ask this question. Is it possible for ModSecurity to track all traffic (not just the response record) passing through it? If not, is it possible to do this? And do you have any plans to organize this?