The ModSecurity \/ OWASP Core Rule Set tutorials here at netnea.com are visited by over 8,000 times a month. With many of the unique visitors, the auxiliary script modsec-rulereport.rb is a favorite. The tool allows you to generate rule exclusions based on a ModSecurity rule alert message.<\/p>\n\n\n\n
Today, I’m presenting you a new version of the script. A complete rewrite. The new version has the following features:<\/p>\n\n\n\n
Alert 1:\n\n[2021-06-03 22:54:45.858724] [-:error] - - [client 127.0.0.1] ModSecurity: Warning. Pattern match \"(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv ...\" at ARGS:keys. [file \"\/apache\/conf\/owasp-modsecurity-crs-3.0.0-rc1\/rules\/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"860\"] [id \"942410\"] [rev \"2\"] [msg \"SQL Injection Attack\"] [data \"Matched Data: union select found within ARGS:keys: union select from users\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS\/3.3.0\"] [maturity \"9\"] [accuracy \"8\"] [tag \"OWASP_CRS\/WEB_ATTACK\/SQL_INJECTION\"] [tag \"WASCTC\/WASC-19\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"OWASP_AppSensor\/CIE1\"] [tag \"PCI\/6.5.2\"] [tag \"paranoia-level\/2\"] [hostname \"localhost\"] [uri \"\/drupal\/index.php\/search\/node\"] [unique_id \"WBuyJX8AAQEAAEdWTgQAAACL\"]\n\n$> cat alert | modsec-rulereport.rb --runtime --target --byid\n# ModSec Rule Exclusion: 942410 : SQL Injection Attack\nSecRule REQUEST_URI \"@beginsWith \/drupal\/index.php\/search\/node\" \"phase:1,nolog,pass,id:10000,ctl:ruleRemoveTargetById=942410;ARGS:keys\"\n\n\n\nAlert 2:\n\n[2020-03-09 12:53:18.862460] [-:error] 127.0.0.1:42014 XmYuLsHShsLLaLoWNWnOBwAAAAA [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file \"\/home\/dune73\/data\/git\/crs-official\/rules\/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"91\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [severity \"CRITICAL\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"localhost\"] [uri \"\/index.html\"] [unique_id \"XmYuLsHShsLLaLoWNWnOBwAAAAA\"]\n\n$> cat alert | modsec-rulereport.rb --runtime --target --byid\n\nADVISORY\n--------\n\n***This is not a rule exclusion. Do not paste this into your configuration.***\n\nThere is an alert on rule 949110. This rule has a special role in the rule set. It\nexamines the anomaly score of the incoming request. If the anomaly score is\nequal or higher than the anomaly threshold, then the rule blocks the request.\n\nYou should therefore not disable this rule. Instead you should work on different\nrules so you can avoid false positives and make sure the anomaly score is low.\n\n\n\nAlert 3: \n\n[2021-06-03 22:54:45.858724] [-:error] - - [client 127.0.0.1] ModSecurity: Warning. Pattern match \"(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv ...\" at ARGS:keys. [file \"\/apache\/conf\/owasp-modsecurity-crs-3.0.0-rc1\/rules\/REQUEST-942-APPLICATION-ATTACK-SQLI.conf\"] [line \"860\"] [id \"942410\"] [rev \"2\"] [msg \"SQL Injection Attack\"] [data \"Matched Data: union select found within ARGS:keys: union select from users\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS\/3.3.0\"] [maturity \"9\"] [accuracy \"8\"] [tag \"OWASP_CRS\/WEB_ATTACK\/SQL_INJECTION\"] [tag \"WASCTC\/WASC-19\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"OWASP_AppSensor\/CIE1\"] [tag \"PCI\/6.5.2\"] [tag \"paranoia-level\/2\"] [hostname \"localhost\"] [uri \"\/drupal\/index.php\/search\/node\"] [unique_id \"WBuyJX8AAQEAAEdWTgQAAACL\"]\n\n$> cat alert | modsec-rulereport.rb --runtime --target --byid --metainformation --baseruleid 42410\n# ModSec Rule Exclusion: 942410 : SQL Injection Attack\n# Based on following alert:\n# \/\/localhost\/drupal\/index.php\/search\/node\n# timestamp: 2021-06-03 22:54:45.858724 id: WBuyJX8AAQEAAEdWTgQAAACL\n# alert: 942410 Matched Data: union select found within ARGS:keys: union...\n# ruleset\/version: OWASP_CRS\/3.3.0\nSecRule REQUEST_URI \"@beginsWith \/drupal\/index.php\/search\/node\" \"phase:1,nolog,pass,id:42410,ctl:ruleRemoveTargetById=942410;ARGS:keys\"\n<\/code><\/pre>\n\n\n\nOf course, there are also single-letter variants for the command line options. -rTi<\/code> brings the rule exclusion quoted above.<\/p>\n\n\n\nDownload: modsec-rulereport.rb<\/a><\/p>\n\n\n\n