modsecurity 2-禁用特定规则ids的日志记录？

Question

在mod-security2中，我希望禁用一些特定于的规则In (默认规则中最常见的假阳性)的日志记录。

我想保持规则的异常得分，但只是关闭一些日志记录。

我该怎么做？

Answer 1

您可以使用SecRuleUpdateActionById来实现这一点。

例如，如果您有以下内容：

SecRule ARGS attack "phase:2,id:12345,log,pass"
SecRuleUpdateActionById 12345 "pass"

然后您将删除日志记录。注这将完全替换规则的操作部分(阶段和id除外)，因此您需要将原始规则的操作所有复制到SecRuleUpdateActionById。不确定这在长期内有多可持续，就好像您曾经将规则更新到新版本一样，您需要检查所有的操作都没有改变。

老实说，有噪音的日志，是我不喜欢异常评分方法的主要原因之一--我更喜欢规则，而不是只有在它们意味着什么的情况下才开火，所以我使用标准的阻塞模式，如果它们经常出现错误，我就完全禁用这些噪音规则。

Answer 2

为了解决这个问题，我最后编写了一些util脚本来关闭特定规则id的日志记录，这使得日志文件过于混乱。

它能很好地满足我的需要，但是使用它会带来风险--这个开源是有原因的！:)

#!/bin/bash

# Filename: suppress_logging.sh

# From your mod-secure base_rules/ directory, do: mkdir -p ../tools/
# Put this script in that tools/ directory, and run it to turn off logging for specific rules (frequent false alerts)
#
# For example, rule-id 123456 will be "overridden" with a new rule-id 9123456 that does exactly the same thing, but without logging anything (nolog).
#
# For rules defined in a single line, use the function: suppressLoggingForSinglelineRule below.
#
# For rules spanning over multiple lines (including chained-rules), use the function: suppressLoggingForMultilineRule below.

# This script was developed and used for mod-security version: 2.1.9.

cd ../base_rules/

cat /dev/null > z_logging_suppress.TMP
cat /dev/null > z_logging_suppress_multiline.TMP

function suppressLoggingForSinglelineRule(){
  ruleId=$1
  echo Processing suppressLoggingForSinglelineRule $ruleId
  echo SecRuleRemoveById $ruleId    >> z_logging_suppress.TMP
  cat  modsecurity_*.conf | grep $ruleId >> z_logging_suppress.TMP
}

function suppressLoggingForMultilineRule(){
  ruleId=$1
  before=$2
  after=$3
  echo Processing suppressLoggingForMultilineRule $ruleId
  echo SecRuleRemoveById $ruleId                               >> z_logging_suppress_multiline.TMP
  cat  modsecurity_*.conf | grep -B"${before}" -A"${after}" $ruleId >> z_logging_suppress_multiline.TMP
}

suppressLoggingForSinglelineRule 960032
suppressLoggingForSinglelineRule 960034
# ... here add your own annoying rule-ids from the log-files ...
# ...

suppressLoggingForMultilineRule 960010 0  2  # This means the rule spans 0 lines BEFORE the rule-id, and 2 lines AFTER, in the modsecurity_*.conf file, etc.
suppressLoggingForMultilineRule 960011 3 16  # 
# ... here add your own annoying rule-ids from the log-files ...
# ...

# If the rule contains: ,block, 
#   change it to: ,block,nolog,    (this is true for most rules)
# If the rule contains: ,log, 
#   change it to ,nolog,           (a few rules)
# BUT BEWARE -- there are a few rules in the modsecurity_* scripts that contains neither -- this won't work for those.

cat z_logging_suppress.TMP            | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress.TMP2
cat z_logging_suppress_multiline.TMP  | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress_multiline.TMP2

cat z_logging_suppress.TMP2           | sed '1,$s/,id:'"'"'/,id:'"'"'9/'  | sed '1,$s/"id:'"'"'/"id:'"'"'9/'  | sed '1,$s/ id:'"'"'/ id:'"'"'9/' >  z_logging_suppress.conf
cat z_logging_suppress_multiline.TMP2 | sed '1,$s/,id:'"'"'/,id:'"'"'9/'  | sed '1,$s/"id:'"'"'/"id:'"'"'9/'  | sed '1,$s/ id:'"'"'/ id:'"'"'9/' >  z_logging_suppress_multiline.conf

echo SANITY CHECK -- The following counts should give identical numbers:
grep -c '^SecRule ' z_logging_suppress.conf
grep -c ',nolog,' z_logging_suppress.conf
if [ "$(grep -c '^SecRule ' z_logging_suppress.conf)" != "$(grep -c ',nolog,' z_logging_suppress.conf)" ]; then
  echo '   *** WARNING -- Sanity check FAILED ***'
fi

echo SANITY CHECK -- The following counts should give identical numbers:
grep -c '^SecRule ' z_logging_suppress_multiline.conf
grep -c ',nolog,' z_logging_suppress_multiline.conf
if [ "$(grep -c '^SecRule ' z_logging_suppress_multiline.conf)" != "$(grep -c ',nolog,' z_logging_suppress_multiline.conf)" ]; then
  echo '   *** WARNING -- Sanity check FAILED ***'
fi

# You may comment-out the following line while debugging/maintaining this script,
# so you can diff what the final sed-commands do.
# Activate it when you are done, to remove the *.TMP* files:
# rm *.TMP *.TMP2