ModSecurity Alert Management - OpenSource Training

Recommendations

Info

--edb3cf77-A-- [21/Oct/2009:03:50:13 +1100] St3qRcsU0B8AADZKK0cAAAAA 12.34.56.78 57937 123.456.789.123 443 --edb3cf77-B-- GET /cart/ HTTP/1.1 Connection: Keep-Alive Host: example.xom Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 --edb3cf77-E-- The page cannot be found BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } The page cannot be found The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. Click the Back button to try another link. HTTP Error 404 - File or directory not found.Internet Information Services (IIS) Technical Information (for support personnel) ... Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
--edb3cf77-F-- HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Vary: Accept-Encoding Keep-Alive: timeout=15, max=55 Connection: Keep-Alive --edb3cf77-H-- Message: String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/opt/modsecurity/etc/rules/base_rules/ modsecurity_crs_20_protocol_violations.conf"] [line "61"] [id "960020"] [msg "Pragma Header requires Cache- Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/opt/modsecurity/etc/rules/base_rules/ modsecurity_crs_60_correlation.conf"] [line "41"] [msg "Transactional Anomaly Score (score 5): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] Apache-Handler: proxy-server Stopwatch: 1256057413859166 67702 (355 47563 67008) Response-Body-Transformed: Dechunked Producer: <strong>ModSecurity</strong> for Apache/2.5.10-dev3 (http://www.modsecurity.org/); core ruleset/2.0.1. Server: Apache/2.2.14 (Debian) mod_ssl/2.2.14 OpenSSL/0.9.8g --edb3cf77-K-- SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION" SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,chain,t:none,block,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:PROTOCOL_VIOLATION/INVALID_HREQ" SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain" SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score= +5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-% {matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,auditlog,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecAction "phase:2,auditlog,nolog,skipAfter:END_XSS_REGEX" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_sql_injection.data" "phase: 2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_ET_SQLI_RULES" SecRule "REQUEST_FILENAME" "!@pmFromFile modsecurity_46_et_web_rules.data" "phase: 2,auditlog,nolog,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:normalisePathWin,skipAfter:END_SNORT_RULES" SecRule "TX:ANOMALY_SCORE" "@ge 5" "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score % {TX.ANOMALY_SCORE}): %{tx.msg}'" --edb3cf77-Z-- Open Source Trends 2012, Steinfurt Christian Bockermann - chris @ jwall.org
Page 1 and 2: AuditConsole ModSecurity Alert Mana
Page 3 and 4: Über mich ‣ Lehrstuhl für küns
Page 5 and 6: ModSecurity Open Source Web Applica
Page 7 and 8: ModSecurity ModSecurity ist ein Fil
Page 9 and 10: ModSecurity - Setups Apache ModSecu
Page 11: ModSecurity Audit-Logs --289e0346-A
Page 15 and 16: ModSecurity Log-Management Log-Date
Page 17 and 18: ModSecurity Log-Management Rechtlic
Page 19 and 20: AuditConsole Frei verfügbare J2EE
Page 21 and 22: AuditConsole ModSecurity enthält e
Page 23 and 24: Open Source Trends 2012, Steinfurt
Page 25 and 26: 123.456.789.012 123.456.789.012 123
Page 27 and 28: Filtern von Ereignissen Unterschied
Page 29 and 30: Darstellung von Ereignissen ‣ Pre
Page 31 and 32: Open Source Trends 2012, Steinfurt
Page 33 and 34: --edb3cf77-A-- [21/Oct/2009:03:50:1
Page 35 and 36: Tagging ‣ Spezielle #-tags könne
Page 37 and 38: AuditConsole - Event Verarbeitung J
Page 39 and 40: AuditConsole - Event Verarbeitung J
Page 41 and 42: Site Konzept ‣ Typischerweist ent
Page 43 and 44: Multi-User Konzept ‣ Die AuditCon
Page 45 and 46: Multi-User Konzept ‣ Zusätzlich
Page 47 and 48: Event Regeln Benutzer können Regel
Page 49 and 50: Reporting DocBook basierte Reportin
Page 51 and 52: Reporting Geo-IP Darstellung in Rep
Page 53 and 54: Reporting Einfache Aggregation von
Page 55 and 56: AuditConsole ‣ Top Log-Management
Page 57 and 58: AuditConsole - 0.4.7-SNAPSHOT ‣ U
Page 59 and 60: AuditConsole Cluster ‣ Eine einze
Page 61 and 62: AuditConsole Cluster ‣ Eine einze
Page 63 and 64:
AuditConsole Cluster ‣ Jeder Knot
Page 65 and 66:
AuditConsole Cluster AuditConsole C
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
(J) Ruby Scripting im Cluster JRuby
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
AuditConsole ‣ Aktueller Entwickl
Page 79 and 80:
AuditConsole Support ‣ Aktuell
show all

ModSecurity Alert Management - OpenSource Training

Create successful ePaper yourself

Delete template?

Save as template?