Multiple, additional parts can be selected via auditLogParts: SecRule REMOTE_ADDR 127.0.0.1" \ In cases such as these you can use a ctl directive for the action part of the SecRule. However, from case to case, you will still want to capture the entire body. The parts of the body that violate individual rules are nonetheless written to the error log and in Part K. This saves a lot of storage space, which is important on badly tuned systems. The request and response bodies are no longer being captured. A typical variation of this directive in a production environment would thus be: SecAuditLogParts ABFHKZ However, in a production environment this is only useful in exceptional cases. This is the right approach in a lab-like setup. We have defined a very comprehensive log. In Tutorial 6 we made the following selection for the individual headers: SecAuditLogParts ABEFHIJKZ Part Z: End of a single entry/request (required).Part K: A list of all rules that returned a positive answer (the rules themselves are normalized including all inherited declarations).Part J: Additional information about file uploads.Part I: The HTTP request body in a space-saving version (uploaded files are not fully included, only individual key parameters for these files).Part H: Further information from ModSecurity concerning additional information about the request, such as repeated entries in the Apache error log here, the Action taken, timing information, etc.Part F: The HTTP response headers (without the two date and server headers, set by Apache itself right before leaving the server).Part E: The HTTP response body (only if body access was enabled via SecRequestBodyAccess).Part C: The HTTP request body (including raw data for a file upload only if body access was set via SecRequestBodyAccess).Part A: The starting part of a single entry/request (required).Let’s have a look at the different options in this directive: The ModSecurity audit engine labels different parts of the audit log using different letter abbreviations. However, depending on the settings of the SecAuditLogParts directive, not all parts of the requests are recorded. In Tutorial 6 we saw how we are able to configure ModSecurity to capture the entire traffic from a single client IP address. Step 1: Using ModSecurity to capture the entire traffic A reverse proxy as in Tutorial 9 (Setting up a reverse proxy).An OWASP ModSecurity Core Rule Set installation as in Tutorial 7 (Embedding ModSecurity Core Rules. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |