modsecurity 2 - 禁用特定規則ID的日誌記錄？

Question

在mod-security2中，我想要禁用日誌記錄某些特定 規則ID（默認規則中最常見的誤報）。

我想保持規則活動異常評分，但只是關閉一些日誌記錄。

我該怎麼做？

Answer 1

您可以使用SecRuleUpdateActionById來實現此目的。

例如，如果你有這樣的：

SecRule ARGS attack "phase:2,id:12345,log,pass" 
SecRuleUpdateActionById 12345 "pass" 

然後你會刪除記錄。請注意，這將完全替換規則的動作部分（除階段和id外），因此您需要將全部原始規則的動作複製到SecRuleUpdateActionById。不知道從長遠來看，這是多麼可持續，就像你將規則更新爲新版本一樣，你將需要檢查沒有任何動作已經改變。

說實話，嘈雜的日誌，是我不喜歡異常評分方法的主要原因之一 - 我更喜歡規則只會觸發如果他們的意思，所以我使用標準阻止模式，只是完全禁用這些嘈雜的規則他們經常給出誤報。

Answer 2

爲了解決這個問題，我最終敲起了一個小實用程序腳本來關閉特定規則ID的日誌記錄，使日誌文件變得過於混亂。

它適用於我的需求，但使用此自己的危險 - 這是一個開源的理由！ :)

#!/bin/bash 

# Filename: suppress_logging.sh 

# From your mod-secure base_rules/ directory, do: mkdir -p ../tools/ 
# Put this script in that tools/ directory, and run it to turn off logging for specific rules (frequent false alerts) 
# 
# For example, rule-id 123456 will be "overridden" with a new rule-id 9123456 that does exactly the same thing, but without logging anything (nolog). 
# 
# For rules defined in a single line, use the function: suppressLoggingForSinglelineRule below. 
# 
# For rules spanning over multiple lines (including chained-rules), use the function: suppressLoggingForMultilineRule below. 

# This script was developed and used for mod-security version: 2.1.9. 

cd ../base_rules/ 

cat /dev/null > z_logging_suppress.TMP 
cat /dev/null > z_logging_suppress_multiline.TMP 

function suppressLoggingForSinglelineRule(){ 
    ruleId=$1 
    echo Processing suppressLoggingForSinglelineRule $ruleId 
    echo SecRuleRemoveById $ruleId >> z_logging_suppress.TMP 
    cat modsecurity_*.conf | grep $ruleId >> z_logging_suppress.TMP 
} 

function suppressLoggingForMultilineRule(){ 
    ruleId=$1 
    before=$2 
    after=$3 
    echo Processing suppressLoggingForMultilineRule $ruleId 
    echo SecRuleRemoveById $ruleId        >> z_logging_suppress_multiline.TMP 
    cat modsecurity_*.conf | grep -B"${before}" -A"${after}" $ruleId >> z_logging_suppress_multiline.TMP 
} 

suppressLoggingForSinglelineRule 960032 
suppressLoggingForSinglelineRule 960034 
# ... here add your own annoying rule-ids from the log-files ... 
# ... 

suppressLoggingForMultilineRule 960010 0 2 # This means the rule spans 0 lines BEFORE the rule-id, and 2 lines AFTER, in the modsecurity_*.conf file, etc. 
suppressLoggingForMultilineRule 960011 3 16 # 
# ... here add your own annoying rule-ids from the log-files ... 
# ... 

# If the rule contains: ,block, 
# change it to: ,block,nolog, (this is true for most rules) 
# If the rule contains: ,log, 
# change it to ,nolog,   (a few rules) 
# BUT BEWARE -- there are a few rules in the modsecurity_* scripts that contains neither -- this won't work for those. 

cat z_logging_suppress.TMP   | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress.TMP2 
cat z_logging_suppress_multiline.TMP | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress_multiline.TMP2 

cat z_logging_suppress.TMP2   | sed '1,$s/,id:'"'"'/,id:'"'"'9/' | sed '1,$s/"id:'"'"'/"id:'"'"'9/' | sed '1,$s/ id:'"'"'/ id:'"'"'9/' > z_logging_suppress.conf 
cat z_logging_suppress_multiline.TMP2 | sed '1,$s/,id:'"'"'/,id:'"'"'9/' | sed '1,$s/"id:'"'"'/"id:'"'"'9/' | sed '1,$s/ id:'"'"'/ id:'"'"'9/' > z_logging_suppress_multiline.conf 

echo SANITY CHECK -- The following counts should give identical numbers: 
grep -c '^SecRule ' z_logging_suppress.conf 
grep -c ',nolog,' z_logging_suppress.conf 
if [ "$(grep -c '^SecRule ' z_logging_suppress.conf)" != "$(grep -c ',nolog,' z_logging_suppress.conf)" ]; then 
    echo ' *** WARNING -- Sanity check FAILED ***' 
fi 

echo SANITY CHECK -- The following counts should give identical numbers: 
grep -c '^SecRule ' z_logging_suppress_multiline.conf 
grep -c ',nolog,' z_logging_suppress_multiline.conf 
if [ "$(grep -c '^SecRule ' z_logging_suppress_multiline.conf)" != "$(grep -c ',nolog,' z_logging_suppress_multiline.conf)" ]; then 
    echo ' *** WARNING -- Sanity check FAILED ***' 
fi 

# You may comment-out the following line while debugging/maintaining this script, 
# so you can diff what the final sed-commands do. 
# Activate it when you are done, to remove the *.TMP* files: 
# rm *.TMP *.TMP2