If I'm understanding this tool the method of use is: - turn on ModSecurity audit log on target website - Run traffic to the site, including break-in attempts, normal usage, etc. - turn off audit log
Update rules on the target website Test client will parse audit log and replay the web events to the target website. Review logs, rinse, repeat... Have I understood the scheme? On May 5, 2011, at 11:41 AM, Christian Bockermann wrote: > Hi Ken, > > your question is hitting the spot. Currently there is no such test engine > available. > I've done some work on that by implementing a TestClient in Java, which > basically > can re-inject all requests from a recorded ModSecurity audit-log. > > I've had plans (and started some of that) to implement an "X"-Section which > can be > used to define "expected behaviour". For example, you could add some tests > like: > > RESPONSE_STATUS @eq 404 > RESPONSE_BODY "@rx !MySQL Error" > ... > > However, since such a test-client can only check for expected results within > the > server response, this is somewhat limitted. An extension might be to connect > to the > AuditConsole and check the resulting "newly created" audit log events for the > requests > that are injected for testing. > > If that sounds interesting to you, just drop me a line. I'd be happy to > include such > a thing in the jwall-tools (open-source). > > Chris > > > > > Am 05.05.2011 um 17:54 schrieb Ken Brucker: > >> Hi - I have some custom rules I'd like to create and I'm looking for a test >> engine to drive the rules and ensure I'm getting the expected results. I >> checked the FAQ and found this question that directly relates: >> >> How do I handle False Positives and creating Custom Rules? >> >> It is inevitable; you will run into some False Positive hits when using web >> application firewalls. This is not something that is unique to ModSecurity. >> All web application firewalls will generate false positives from time to >> time. The following Blog post information will help to guide you through the >> process of identifying, fixing, implementing and testing new custom rules to >> address false positives. >> >> But... the last sentence states "The following blog post information ..." >> and there is no blog post information following. Where do I find the >> referenced material? >> >> Does a test engine exist outside Apache to feed data through the rules to >> enable easy regression testing in addition to focused testing of new rules? >> >> Regards, >> Ken >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
