Skip to content

4sp1r3/modsecurity-exception-factory

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

114 Commits

.settings

.settings

 
 

modsecurity_exception_factory

modsecurity_exception_factory

 
 

tests

tests

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.project

.project

 
 

.pydevproject

.pydevproject

 
 

README.rst

README.rst

 
 

setup.cfg

setup.cfg

 
 

setup.py

setup.py

 
 

version.conf

version.conf

 
 

Repository files navigation

ModSecurity Exception Generator

ModSecurity Exception Generator is a tool that generates ModSecurity exception rules by automatically analyzing ModSecurity audit logs. This is very useful and almost essential to avoid false positives and rejecting legitimate clients.

Installation

pip install modsecurity-exception-generator

Usage

Command options

-d

SQL URL of the data store where the ModSecurity audit log parsed data will be stored and loaded from.

Example: 'sqlite:////tmp/modsecurity-exception-factory.db'.

-i [Optional]

Path to the ModSecurity audit log file to parse.

One can use '-' as a value for this parameter to read the audit log data from standard input.

-c [Optional]

Path of the optional configuration file.

Basic examples

modsecurity-exception-generator \
    -i /path/to/modsec_audit.log \
    -d "sqlite:////tmp/service.db" \
> modsecurity_crs_15_exceptions.conf
zcat modsec_audit.log.*.gz \
| modsecurity-exception-generator \
    -i - \
    -d "sqlite:////tmp/service.db" \
> modsecurity_crs_15_exceptions.conf

WARNING

The produced exceptions must be loaded BEFORE the rules they are applied to.

Removing superfluous exceptions

Generating exceptions by simply running the 'modsecurity-exception-generator' program, as in the basic examples, might generate some superfluous exception rules. Thus we need some advanced options to obtain smarter results. That's where the YAML configuration file given using the '-c' option comes in handy.

The YAML configuration file supports the following directives:

ignore

Indicates which logs most be ignored by the exception generator.

example

To ignore any log message produced by the rule with the id 981176.

ignore:
   rule_id: [981176]

This can also be applied to other variables like 'host_name' (targeted host name), 'request_filename' (targeted url) or 'payload_container' (the variable that matched the rule).

minimum_occurrence_count_threshold

Ignore exceptions that affect less than minimum_occurence_count_threshold log message occurrences.

maximum_value_count_threshold

Sometimes, exceptions rules can have conditions with too many values like the following example.

SecRule REQUEST_FILENAME "@rx ^(/foo_bar|/blabla|/test_2/|...)$" ...

This condition can be ignored by setting maximum_value_count_threshold to a value lesser than the number of values in the regular expression.

Configuration example for the Core Rule Set

ignore:
    rule_id: [981174, 981176, 981203, 981200, 981201, 981202, 981203, 981204, 981205, 981220]

minimum_occurrence_count_threshold: 1000

About

The only tool that parses your ModSecurity audit logs to generate exceptions automagically ;)

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages

  • Python 100.0%