Check-in [f6df973c7e]
Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add data/ dir, and common_false_positives.log (for CRS 2.2 however, not useful for current setups) |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
f6df973c7e2fa454ea764b20d0e1b63c |
| User & Date: | mario 2020-11-17 10:10:54 |
Context
|
2020-11-17
| ||
| 10:11 | + conf: "add_stub_logs": 1, # data/common_false_*.log check-in: 6db99daa75 user: mario tags: trunk | |
| 10:10 | Add data/ dir, and common_false_positives.log (for CRS 2.2 however, not useful for current setups) check-in: f6df973c7e user: mario tags: trunk | |
|
2020-11-16
| ||
| 14:33 | Stub recipes, icon in editor check-in: c4431d8500 user: mario tags: trunk | |
Changes
Added modseccfg/data/__init__.py.
> > > > > | 1 2 3 4 5 | # type: R import os dir = os.path.dirname(__file__) |
Added modseccfg/data/common_false_positives.log.
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | # https://www.netnea.com/cms/2016/01/17/most-frequent-false-positives-triggered-by-owasp-modsecurity-core-rules-2-2-x/ [id "950001"] SQL Injection Attack frequent false positives [id "950002"] System Command Access few false positives [id "950005"] Remote File Access Attempt few false positives [id "950006"] System Command Injection few false positives [id "950007"] Blind SQL Injection Attack few false positives [id "950008"] Injection of Undocumented ColdFusion Tags few false positives [id "950009"] Session Fixation Attack few false positives [id "950010"] LDAP Injection Attack few false positives [id "950109"] Multiple URL Encoding Detected frequent false positives [id "950901"] SQL Injection Attack: SQL Tautology Detected. very frequent false positives [id "950907"] System Command Injection frequent false positives [id "950911"] HTTP Response Splitting Attack few false positives [id "958030"] Cross-site Scripting (XSS) Attack few false positives [id "958051"] Cross-site Scripting (XSS) Attack few false positives [id "958052"] Cross-site Scripting (XSS) Attack few false positives [id "958291"] Range: field exists and begins with 0. few false positives [id "959070"] SQL Injection Attack frequent false positives [id "959071"] SQL Injection Attack frequent false positives [id "959072"] SQL Injection Attack frequent false positives [id "959073"] SQL Injection Attack very frequent false positives [id "960000"] Attempted multipart/form-data bypass few false positives [id "960009"] Request Missing a User Agent Header few false positives [id "960010"] Request content type is not allowed by policy few false positives [id "960015"] Request Missing an Accept Header very frequent false positives [id "960017"] Host header is a numeric IP address very frequent false positives [id "960024"] Meta-Character Anomaly Detection Alert โ Repetative Non-Word Characters very frequent false positives [id "960035"] URL file extension is restricted by policy frequent false positives [id "970901"] The application is not available few false positives [id "970903"] ASP/JSP source code leakage few false positives [id "973300"] Possible XSS Attack Detected โ HTML Tag Handler frequent false positives [id "973302"] XSS Attack Detected few false positives [id "973304"] XSS Attack Detected few false positives [id "973305"] XSS Attack Detected few false positives [id "973306"] XSS Attack Detected few false positives [id "973307"] XSS Attack Detected few false positives [id "973308"] XSS Attack Detected few false positives [id "973310"] XSS Attack Detected few false positives [id "973316"] IE XSS Filters โ Attack Detected. few false positives [id "973329"] IE XSS Filters โ Attack Detected. few false positives [id "973331"] IE XSS Filters โ Attack Detected. few false positives [id "973332"] IE XSS Filters โ Attack Detected. frequent false positives [id "973333"] IE XSS Filters โ Attack Detected. frequent false positives [id "973334"] IE XSS Filters โ Attack Detected. few false positives [id "973335"] IE XSS Filters โ Attack Detected. few false positives [id "973338"] XSS Filter โ Category 3: Javascript URI Vector few false positives [id "973344"] IE XSS Filters โ Attack Detected. few false positives [id "973347"] IE XSS Filters โ Attack Detected. few false positives [id "981172"] Restricted SQL Character Anomaly Detection Alert โ Total # of special characters exceeded very frequent false positives [id "981173"] Restricted SQL Character Anomaly Detection Alert โ Total # of special characters exceeded very frequent false positives [id "981231"] SQL Comment Sequence Detected. very frequent false positives [id "981240"] Detects MySQL comments, conditions and ch(a)r injections frequent false positives [id "981241"] Detects conditional SQL injection attempts few false positives [id "981242"] Detects classic SQL injection probings 1/2 frequent false positives [id "981243"] Detects classic SQL injection probings 2/2 very frequent false positives [id "981244"] Detects basic SQL authentication bypass attempts 1/3 frequent false positives [id "981245"] Detects basic SQL authentication bypass attempts 2/3 frequent false positives [id "981246"] Detects basic SQL authentication bypass attempts 3/3 frequent false positives [id "981247"] Detects concatenated basic SQL injection and SQLLFI attempts few false positives [id "981248"] Detects chained SQL injection attempts 1/2 very frequent false positives [id "981249"] Detects chained SQL injection attempts 2/2 frequent false positives [id "981255"] Detects MSSQL code execution and information gathering attempts few false positives [id "981256"] Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections few false positives [id "981257"] Detects MySQL comment-/space-obfuscated injections and backtick termination frequent false positives [id "981260"] SQL Hex Encoding Identified very frequent false positives [id "981317"] SQL SELECT Statement Anomaly Detection Alert few false positives [id "981318"] SQL Injection Attack: Common Injection Testing Detected few false positives [id "981319"] SQL Injection Attack: SQL Operator Detected frequent false positives [id "981320"] SQL Injection Attack: Common DB Names Detected few false positives [id "950001"] SQL Injection Attack frequent false positives [id "950109"] Multiple URL Encoding Detected frequent false positives [id "950907"] System Command Injection frequent false positives [id "959070"] SQL Injection Attack frequent false positives [id "959071"] SQL Injection Attack frequent false positives [id "959072"] SQL Injection Attack frequent false positives [id "960035"] URL file extension is restricted by policy frequent false positives [id "973300"] Possible XSS Attack Detected โ HTML Tag Handler frequent false positives [id "973332"] IE XSS Filters โ Attack Detected. frequent false positives [id "973333"] IE XSS Filters โ Attack Detected. frequent false positives [id "981240"] Detects MySQL comments, conditions and ch(a)r injections frequent false positives [id "981242"] Detects classic SQL injection probings 1/2 frequent false positives [id "981244"] Detects basic SQL authentication bypass attempts 1/3 frequent false positives [id "981245"] Detects basic SQL authentication bypass attempts 2/3 frequent false positives [id "981246"] Detects basic SQL authentication bypass attempts 3/3 frequent false positives [id "981249"] Detects chained SQL injection attempts 2/2 frequent false positives [id "981257"] Detects MySQL comment-/space-obfuscated injections and backtick termination frequent false positives [id "981319"] SQL Injection Attack: SQL Operator Detected frequent false positives [id "950901"] SQL Injection Attack: SQL Tautology Detected. very frequent false positives [id "959073"] SQL Injection Attack very frequent false positives [id "960015"] Request Missing an Accept Header very frequent false positives [id "960017"] Host header is a numeric IP address very frequent false positives [id "960024"] Meta-Character Anomaly Detection Alert โ Repetative Non-Word Characters very frequent false positives [id "981172"] Restricted SQL Character Anomaly Detection Alert โ Total # of special characters exceeded very frequent false positives [id "981173"] Restricted SQL Character Anomaly Detection Alert โ Total # of special characters exceeded very frequent false positives [id "981231"] SQL Comment Sequence Detected. very frequent false positives [id "981243"] Detects classic SQL injection probings 2/2 very frequent false positives [id "981248"] Detects chained SQL injection attempts 1/2 very frequent false positives [id "981260"] SQL Hex Encoding Identified very frequent false positives |
Changes to modseccfg/logs.py.
| ︙ | ︙ | |||
15 16 17 18 19 20 21 | # Filters out by error codes (http 4xx/5xx) or mod_security messages. # # Audit log types (serial/concurrent/json) aren't supported yet. # import os, re | | | 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# Filters out by error codes (http 4xx/5xx) or mod_security messages.
#
# Audit log types (serial/concurrent/json) aren't supported yet.
#
import os, re
from modseccfg import utils, vhosts, data
from modseccfg.utils import srvroot, conf
# detected rule ids and number of occurences
log_count = {} # idโcount
class state:
log_curr = "" # fn
|
| ︙ | ︙ | |||
107 108 109 110 111 112 113 |
# assemble list of error/access/audit logs
def find_logs():
log_list = []
for fn,vh in vhosts.vhosts.items():
log_list = log_list + vh.logs
#log_list.append("./fossil.error.log") # testing
| > > > > | | 107 108 109 110 111 112 113 114 115 116 117 118 119 |
# assemble list of error/access/audit logs
def find_logs():
log_list = []
for fn,vh in vhosts.vhosts.items():
log_list = log_list + vh.logs
#log_list.append("./fossil.error.log") # testing
if conf.get("add_stub_logs"):
add = [data.dir+"/common_false_positives.log"]
else:
add = []
return list(set(log_list)) + add
|