5 Oct 2010 10:09
Re: [Owasp-modsecurity-core-rule-set] Call for Assistance: ModSecurity/CRS Event Data Statistics
<christian.folini <at> post.ch>
2010-10-05 08:09:47 GMT
2010-10-05 08:09:47 GMT
Hi Ryan, Is there a compatible oneliner that would allow to extract the same information from the audit-log produced by the core-rules of the pre-2 rulebase (1.5 actually)? There are quite a bit of production level audit-logs around here. Best, Christian -----Ursprüngliche Nachricht----- Von: owasp-modsecurity-core-rule-set-bounces <at> lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-bounces <at> lists.owasp.org] Im Auftrag von Ryan Barnett Gesendet: Dienstag, 5. Oktober 2010 04:04 An: Christian Bockermann Cc: mod-security-users <at> lists.sourceforge.net; owasp-modsecurity-core-rule-set <at> lists.owasp.org Betreff: Re: [Owasp-modsecurity-core-rule-set] [mod-security-users] Call for Assistance: ModSecurity/CRS Event Data Statistics This is a great addition Christian! Yeah, let's chat about posting this data to a stats service that we can host on the ModSecurity site. Sent from my iPhone On Oct 4, 2010, at 7:12 PM, "Christian Bockermann" <chris <at> jwall.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > sounds like a nice plan by Ryan. > > I just extended my jwall-tools package to provide the information you requested (either by > applying it onto a serial audit-log file or by applying it to a directory in which case it will > recursively scan for audit-event data files). > > <at> Ryan: > Right now, the tools just output the data in plain text. I plan to provide the data in CSV format > and XML format as well and though about providing an auto-upload function to push the data to > a statistics-service (anonymously, of course). > (If you're interested in working on that jointly, just drop me a line) > > > The updated jwall-tools can be found at: > > https://secure.jwall.org/download/jwall-tools.jar > > The md5-checksum of that file is 4cc35f5d07d6503357907473307e7609 > These updates jwall-tools contain a new command "stats" which can be issued as: > > java -jar jwall-tools.jar stats /path/to/audit.log > or > java -jar jwall-tools.jar stats /path/to/concurrent/audit/dir > > > The following is given as output of the above command: > > > [chris <at> jwall: ~]$ java -jar jwall-tools.jar stats audit.log > .............................................................................................................................................................................................................................................................................................................................................................. > 53754 events processed in 16 seconds. > Event date range from 02/26/2010 08:00 to 09/03/2010 08:33. > > - ------------------------------------------------------ > Rule Messages: > 118 Detects JavaScript location/document property access and window access obfuscation > 114 Detects common XSS concatenation patterns 1/2 > 51 The application is not available > 27 Detects possible includes and typical script methods > 24 Invalid request > 23 Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name. > 21 Request Missing an Accept Header > 20 Detects common XSS concatenation patterns 2/2 > 17 Detects obfuscated JavaScript script injections > 14 Comment Evasion Attempt7 > 13 Detects self-executing JavaScript functions > 8 Detects data: URL injections, VBS injections and common URI schemes > 7 Detects JavaScript with(), ternary operators and XML predicate attacks > 7 Detects basic directory traversal > 5 Detects JavaScript object properties and methods > 5 Detects common function declarations and special JS operators > 5 Detects self > 4 Detects JavaScript language constructs > 4 Detects nullbytes and other dangerous characters > 2 Host header is a numeric IP address > > - ------------------------------------------------------ > Rule-IDs: > 67 phpids-3 > 57 phpids-30 > 35 phpids-2 > 30 phpids-23 > 21 960015 > 17 970901 > 15 phpids-1 > 13 phpids-16 > 12 960913 > 12 phpids-31 > 8 hpp-1 > 7 phpids-27 > 7 phpids-7 > 5 phpids-25 > 5 phpids-8 > 4 phpids-converter-comment-evasion > 3 phpids-10 > 3 phpids-20 > 2 960017 > 2 phpids-39 > 1 phpids-17 > 1 phpids-6 > 1 phpids-62 > > - ------------------------------------------------------ > Tags: > 21 PROTOCOL_VIOLATION/MISSING_HEADER > 2 PROTOCOL_VIOLATION/IP_HOST > - ------------------------------------------------------ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iD8DBQFMql9fpc5/RcXDlTwRAjAIAJ9Ir67ie/BhHvk/q/iKVHxzbJKGwACeK5/1 > /4G55FMohjj4DxZVCdjpyGg= > =pMZK > -----END PGP SIGNATURE----- > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set <at> lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html
RSS Feed