How to customize modsecurity output?

Alles, was den Apache betrifft, kann hier besprochen werden.

How to customize modsecurity output?

Postby asadz » 14. September 2013 10:27

I have an apache server which uses mod_security configuration. Those logs are further analyzed and sent out to OSSEC server for intrusion detection and monitoring.

That OSSEC server then sends those logs for normalization and advance correlation to SIEM, the parser at SIEM is able to parse quiet a few mod_sec messages but the one particular type message including in the payload

> "rx ^%{tx.allowed_request_content_type}$"

cannot seemed to be parsed at SIEM system, Instead of changing the parse code at SIEM end which may seems impossible because its closed source, I want to know if there is way to change the logging output much like apache custom log features. The full log payload is shown below:-

> Sep 13 13:35:37 ossec-server ossec: Alert Level: 7; Rule: 50118 -
> Access attempt blocked by Mod Security.; Location: (WebServer)
>>/usr/local/apache2/logs/error_log; [Fri Sep 13 13:37:09.190450 2013] [:error] [pid 2584:tid 140049089795840] [client
>] ModSecurity: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required.
> [file
> "/usr/local/apache2/conf/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"]
> [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not
> allowed by policy"] [data "application/octet-stream"] [severity
> "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
> [hostname ""] [uri "/"] [unique_id "UjLOtQoKUakAAAoYEh8AAAAO"]

Can i specify apache not to log the above highlighted text when writing logs?
Posts: 1
Joined: 14. September 2013 10:20
Operating System: win

Return to Apache

Who is online

Users browsing this forum: No registered users and 11 guests