Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
Wesley, What exactly are you trying to achieve here? Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com http://www.trustwave.com/ On 8/25/14 6:20 PM, Wesley Render wren...@otherdata.com wrote: I was just wanting to follow up. Is anyone able to confirm the proper logging settings when using ModSecurity, and sending the logs out via mlogc to AuditConsole? Should we have our modsecurity_crs_10_setup.conf SecDefaultAction lines set to the following? SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog Thanks! Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Wesley Render Sent: August-20-14 11:30 AM To: 'OWASP Mod Security' Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events When I set it to the following, I get a lot less logs coming in. I am confused on how it should be set as well when sending logs to AuditConsole using mlogc. Here is a summary of relevant settings I have right now (below). I guess it seems as though the logging settings are not able to combine one correlated event into the audit log. They can only combine one correlated event into the apache error_log? modsecurity_crs_10_setup.conf Settings ## # Collaborative Detection Mode SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog # Collaborative Detection Blocking # SecAction \ id:'94', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass modsec2.user.conf Settings ## SecDataDir /usr/local/apache/conf/sec-data SecTmpDir /usr/local/apache/conf/sec-tmp SecRuleEngine On SecPcreMatchLimit 5 SecPcreMatchLimitRecursion 5 # With SecRequestBodyAccess turned on care needs to be taken with false positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial SecServerSignature Apache SecCookieFormat 0 # Additional ModSecurity Logging Options for mlogc # Use ReleventOnly auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABDEFHIJKZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog |/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf # OWASP Rules Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include conf/owasp-modsecurity-crs/activated_rules/*.conf # Trustwave Commercial Rules Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Earl Fogel Sent: August-20-14 9:59 AM To: OWASP Mod Security Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events I have this problem as well. I also have: SecDefaultAction phase:1,pass,nolog,auditlog SecDefaultAction phase:2,pass,nolog,auditlog SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) Could that be relevent? How should these be set in collaborative detection mode? Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin jam...@owasp.org wrote: On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com wrote: Would anyone know if it would be possible to adjust the core rule set configuration file so that only events that have a total inbound score of 5 or higher are sent to the audit log. (Running in Collaborative Detection and Anomaly Scoring Blocking) Version: SecComponentSignature OWASP_CRS/2.2.9 Hi Wesley, When the CRS is used in anomaly mode it should not create audit logs unless the event passes the threshold set in the 10 file. Can you send me privately an event from AuditConsole that does not have an anomaly score level above 5? I'm specifically interested in sections H and K. - Josh ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ___ Owasp-modsecurity-core-rule-set mailing list Owasp
Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
I am trying to send only correlated events that are Total Inbound 5+ to mlogc. When I set the SecDefaultAction for phase1 and phase2 to pass,log or to nolog,auditlog it seems to send all events, even ones that are under TX 5 to the mlogc. When I set it to pass,nolog it seems to only send events that are Total Inbound 5+ to the mlogc. This is what I want, but pass,nolog is not one of the options listed in the section Alert Logging Control so I am just not sure if having it set to nolog is the correct method when sending correlated/anomaly events to mlogc. Regards, Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: August-27-14 1:55 PM To: Wesley Render; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events Wesley, What exactly are you trying to achieve here? Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com http://www.trustwave.com/ On 8/25/14 6:20 PM, Wesley Render wren...@otherdata.com wrote: I was just wanting to follow up. Is anyone able to confirm the proper logging settings when using ModSecurity, and sending the logs out via mlogc to AuditConsole? Should we have our modsecurity_crs_10_setup.conf SecDefaultAction lines set to the following? SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog Thanks! Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Wesley Render Sent: August-20-14 11:30 AM To: 'OWASP Mod Security' Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events When I set it to the following, I get a lot less logs coming in. I am confused on how it should be set as well when sending logs to AuditConsole using mlogc. Here is a summary of relevant settings I have right now (below). I guess it seems as though the logging settings are not able to combine one correlated event into the audit log. They can only combine one correlated event into the apache error_log? modsecurity_crs_10_setup.conf Settings ## # Collaborative Detection Mode SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog # Collaborative Detection Blocking # SecAction \ id:'94', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass modsec2.user.conf Settings ## SecDataDir /usr/local/apache/conf/sec-data SecTmpDir /usr/local/apache/conf/sec-tmp SecRuleEngine On SecPcreMatchLimit 5 SecPcreMatchLimitRecursion 5 # With SecRequestBodyAccess turned on care needs to be taken with false positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial SecServerSignature Apache SecCookieFormat 0 # Additional ModSecurity Logging Options for mlogc # Use ReleventOnly auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABDEFHIJKZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog |/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf # OWASP Rules Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include conf/owasp-modsecurity-crs/activated_rules/*.conf # Trustwave Commercial Rules Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Earl Fogel Sent: August-20-14 9:59 AM To: OWASP Mod Security Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events I have this problem as well. I also have: SecDefaultAction phase:1,pass,nolog,auditlog SecDefaultAction phase:2,pass,nolog,auditlog SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) Could that be relevent? How should these be set in collaborative detection mode? Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin jam...@owasp.org wrote: On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com
Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
I was just wanting to follow up. Is anyone able to confirm the proper logging settings when using ModSecurity, and sending the logs out via mlogc to AuditConsole? Should we have our modsecurity_crs_10_setup.conf SecDefaultAction lines set to the following? SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog Thanks! Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Wesley Render Sent: August-20-14 11:30 AM To: 'OWASP Mod Security' Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events When I set it to the following, I get a lot less logs coming in. I am confused on how it should be set as well when sending logs to AuditConsole using mlogc. Here is a summary of relevant settings I have right now (below). I guess it seems as though the logging settings are not able to combine one correlated event into the audit log. They can only combine one correlated event into the apache error_log? modsecurity_crs_10_setup.conf Settings ## # Collaborative Detection Mode SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog # Collaborative Detection Blocking # SecAction \ id:'94', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass modsec2.user.conf Settings ## SecDataDir /usr/local/apache/conf/sec-data SecTmpDir /usr/local/apache/conf/sec-tmp SecRuleEngine On SecPcreMatchLimit 5 SecPcreMatchLimitRecursion 5 # With SecRequestBodyAccess turned on care needs to be taken with false positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial SecServerSignature Apache SecCookieFormat 0 # Additional ModSecurity Logging Options for mlogc # Use ReleventOnly auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABDEFHIJKZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog |/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf # OWASP Rules Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include conf/owasp-modsecurity-crs/activated_rules/*.conf # Trustwave Commercial Rules Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Earl Fogel Sent: August-20-14 9:59 AM To: OWASP Mod Security Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events I have this problem as well. I also have: SecDefaultAction phase:1,pass,nolog,auditlog SecDefaultAction phase:2,pass,nolog,auditlog SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) Could that be relevent? How should these be set in collaborative detection mode? Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin jam...@owasp.org wrote: On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com wrote: Would anyone know if it would be possible to adjust the core rule set configuration file so that only events that have a total inbound score of 5 or higher are sent to the audit log. (Running in Collaborative Detection and Anomaly Scoring Blocking) Version: SecComponentSignature OWASP_CRS/2.2.9 Hi Wesley, When the CRS is used in anomaly mode it should not create audit logs unless the event passes the threshold set in the 10 file. Can you send me privately an event from AuditConsole that does not have an anomaly score level above 5? I'm specifically interested in sections H and K. - Josh ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com wrote: Would anyone know if it would be possible to adjust the core rule set configuration file so that only events that have a total inbound score of 5 or higher are sent to the audit log. (Running in Collaborative Detection and Anomaly Scoring Blocking) Version: SecComponentSignature OWASP_CRS/2.2.9 Hi Wesley, When the CRS is used in anomaly mode it should not create audit logs unless the event passes the threshold set in the 10 file. Can you send me privately an event from AuditConsole that does not have an anomaly score level above 5? I'm specifically interested in sections H and K. - Josh ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
When I set it to the following, I get a lot less logs coming in. I am confused on how it should be set as well when sending logs to AuditConsole using mlogc. Here is a summary of relevant settings I have right now (below). I guess it seems as though the logging settings are not able to combine one correlated event into the audit log. They can only combine one correlated event into the apache error_log? modsecurity_crs_10_setup.conf Settings ## # Collaborative Detection Mode SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog # Collaborative Detection Blocking # SecAction \ id:'94', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass modsec2.user.conf Settings ## SecDataDir /usr/local/apache/conf/sec-data SecTmpDir /usr/local/apache/conf/sec-tmp SecRuleEngine On SecPcreMatchLimit 5 SecPcreMatchLimitRecursion 5 # With SecRequestBodyAccess turned on care needs to be taken with false positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial SecServerSignature Apache SecCookieFormat 0 # Additional ModSecurity Logging Options for mlogc # Use ReleventOnly auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABDEFHIJKZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog |/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf # OWASP Rules Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include conf/owasp-modsecurity-crs/activated_rules/*.conf # Trustwave Commercial Rules Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Earl Fogel Sent: August-20-14 9:59 AM To: OWASP Mod Security Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events I have this problem as well. I also have: SecDefaultAction phase:1,pass,nolog,auditlog SecDefaultAction phase:2,pass,nolog,auditlog SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) Could that be relevent? How should these be set in collaborative detection mode? Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin jam...@owasp.org wrote: On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com wrote: Would anyone know if it would be possible to adjust the core rule set configuration file so that only events that have a total inbound score of 5 or higher are sent to the audit log. (Running in Collaborative Detection and Anomaly Scoring Blocking) Version: SecComponentSignature OWASP_CRS/2.2.9 Hi Wesley, When the CRS is used in anomaly mode it should not create audit logs unless the event passes the threshold set in the 10 file. Can you send me privately an event from AuditConsole that does not have an anomaly score level above 5? I'm specifically interested in sections H and K. - Josh ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set