Skip to content

feature request: audit log only if disruptive #2696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
liudongmiao opened this issue Mar 12, 2022 · 7 comments
Closed

feature request: audit log only if disruptive #2696

liudongmiao opened this issue Mar 12, 2022 · 7 comments

Comments

@liudongmiao
Copy link
Contributor

liudongmiao commented Mar 12, 2022
edited
Loading

coreruleset v3 introduces Paranoia Level, assign score for rule, and evaluate in separate rule.

In some cases, the request is not disruptive, however it's logged in audit log. We'd like to log disruptive request only in product environment.

And, in DetectionOnly mode, the request is not disruptive at all, however, it should be logged too.

(Currently, we modify the source code, use severity level to check for log.)
@liudongmiao
Copy link
Contributor Author

ctl:auditengine should solve this issue: #2606 However, it's rule based.

@liudongmiao liudongmiao changed the title feature request: audit log only if disruptive feature request: audit log only if disruptive or severity level Mar 12, 2022
@liudongmiao liudongmiao changed the title feature request: audit log only if disruptive or severity level feature request: audit log only if disruptive Mar 12, 2022
@martinhsv
Copy link
Contributor

"In some cases .. "

Please provide at least one specific example where the current functionality is not what you would reasonably expect.

@liudongmiao
Copy link
Contributor Author

@martinhsv As we use score-mode like CRS, when rule match, it doesn't mean disruptive or block.

We'd like to only log for disruptive requests.

SecRule ARGS "@rx ..." "id:1,setvar:evilscore+=2"

SecRule ARGS "@rx ..." "id:2,setvar:evilscore+=2"

TX:evilscore "@ge 8" "id:9,deny"

Then if only id-1 / id-2 matched, if it's not reached id-9 (score evaluation), then matched auditlog is off.
However, if it's reached id-9 (score evaluation), then show all-matched auditlog.

noauditlog for id-1 / id-2 cannot solve this problem, if id-9 is logged, there is no auditlog for id-1/id-2 at all.
auditlog for id-1/id-2 cannot solve this problem, if id-9 is not reached, there is always auditlog for id-1/id-2 if match.

@liudongmiao
Copy link
Contributor Author

@martinhsv Actually, I have implemented all the feature request by me.
However, I'd like this can be implemented in to official ModSecurity to avoid maintain a forked ModSecurity.

@martinhsv
Copy link
Contributor

Hi @liudongmiao ,

If you want to omit all writing to the audit log if the HTTP response code is 200, you could create a rule that tests RESPONSE_STATUS and include 'ctl:auditEngine=Off' in its actions. (Note that ctl:auditEngine is available in v3/master but not in the tagged version of v3.0.6 from last November.)

@martinhsv
Copy link
Contributor

Hi @liudongmiao ,

Have you tried using that last suggestion? Since that posting, ctl:auditEngine has been available in multiple official releases (since v3.0.7).

@liudongmiao
Copy link
Contributor Author

@martinhsv Yes, ctl:auditEngine solve my issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@liudongmiao @martinhsv