modsecurity 2 - 禁用特定规则ID的日志记录？

Question

在mod-security2中，我想要禁用日志记录某些特定 规则ID（默认规则中最常见的误报）。

我想保持规则活动异常评分，但只是关闭一些日志记录。

我该怎么做？

Answer 1

您可以使用SecRuleUpdateActionById来实现此目的。

例如，如果你有这样的：

SecRule ARGS attack "phase:2,id:12345,log,pass" 
SecRuleUpdateActionById 12345 "pass" 

然后你会删除记录。请注意，这将完全替换规则的动作部分（除阶段和id外），因此您需要将全部原始规则的动作复制到SecRuleUpdateActionById。不知道从长远来看，这是多么可持续，就像你将规则更新为新版本一样，你将需要检查没有任何动作已经改变。

说实话，嘈杂的日志，是我不喜欢异常评分方法的主要原因之一 - 我更喜欢规则只会触发如果他们的意思，所以我使用标准阻止模式，只是完全禁用这些嘈杂的规则他们经常给出误报。

Answer 2

为了解决这个问题，我最终敲起了一个小实用程序脚本来关闭特定规则ID的日志记录，使日志文件变得过于混乱。

它适用于我的需求，但使用此自己的危险 - 这是一个开源的理由！ :)

#!/bin/bash 

# Filename: suppress_logging.sh 

# From your mod-secure base_rules/ directory, do: mkdir -p ../tools/ 
# Put this script in that tools/ directory, and run it to turn off logging for specific rules (frequent false alerts) 
# 
# For example, rule-id 123456 will be "overridden" with a new rule-id 9123456 that does exactly the same thing, but without logging anything (nolog). 
# 
# For rules defined in a single line, use the function: suppressLoggingForSinglelineRule below. 
# 
# For rules spanning over multiple lines (including chained-rules), use the function: suppressLoggingForMultilineRule below. 

# This script was developed and used for mod-security version: 2.1.9. 

cd ../base_rules/ 

cat /dev/null > z_logging_suppress.TMP 
cat /dev/null > z_logging_suppress_multiline.TMP 

function suppressLoggingForSinglelineRule(){ 
    ruleId=$1 
    echo Processing suppressLoggingForSinglelineRule $ruleId 
    echo SecRuleRemoveById $ruleId >> z_logging_suppress.TMP 
    cat modsecurity_*.conf | grep $ruleId >> z_logging_suppress.TMP 
} 

function suppressLoggingForMultilineRule(){ 
    ruleId=$1 
    before=$2 
    after=$3 
    echo Processing suppressLoggingForMultilineRule $ruleId 
    echo SecRuleRemoveById $ruleId        >> z_logging_suppress_multiline.TMP 
    cat modsecurity_*.conf | grep -B"${before}" -A"${after}" $ruleId >> z_logging_suppress_multiline.TMP 
} 

suppressLoggingForSinglelineRule 960032 
suppressLoggingForSinglelineRule 960034 
# ... here add your own annoying rule-ids from the log-files ... 
# ... 

suppressLoggingForMultilineRule 960010 0 2 # This means the rule spans 0 lines BEFORE the rule-id, and 2 lines AFTER, in the modsecurity_*.conf file, etc. 
suppressLoggingForMultilineRule 960011 3 16 # 
# ... here add your own annoying rule-ids from the log-files ... 
# ... 

# If the rule contains: ,block, 
# change it to: ,block,nolog, (this is true for most rules) 
# If the rule contains: ,log, 
# change it to ,nolog,   (a few rules) 
# BUT BEWARE -- there are a few rules in the modsecurity_* scripts that contains neither -- this won't work for those. 

cat z_logging_suppress.TMP   | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress.TMP2 
cat z_logging_suppress_multiline.TMP | sed '1,$s/,block,/,block,nolog,/' | sed '1,$s/ block,/ block,nolog,/' | sed '1,$s/,log,/,nolog,/' > z_logging_suppress_multiline.TMP2 

cat z_logging_suppress.TMP2   | sed '1,$s/,id:'"'"'/,id:'"'"'9/' | sed '1,$s/"id:'"'"'/"id:'"'"'9/' | sed '1,$s/ id:'"'"'/ id:'"'"'9/' > z_logging_suppress.conf 
cat z_logging_suppress_multiline.TMP2 | sed '1,$s/,id:'"'"'/,id:'"'"'9/' | sed '1,$s/"id:'"'"'/"id:'"'"'9/' | sed '1,$s/ id:'"'"'/ id:'"'"'9/' > z_logging_suppress_multiline.conf 

echo SANITY CHECK -- The following counts should give identical numbers: 
grep -c '^SecRule ' z_logging_suppress.conf 
grep -c ',nolog,' z_logging_suppress.conf 
if [ "$(grep -c '^SecRule ' z_logging_suppress.conf)" != "$(grep -c ',nolog,' z_logging_suppress.conf)" ]; then 
    echo ' *** WARNING -- Sanity check FAILED ***' 
fi 

echo SANITY CHECK -- The following counts should give identical numbers: 
grep -c '^SecRule ' z_logging_suppress_multiline.conf 
grep -c ',nolog,' z_logging_suppress_multiline.conf 
if [ "$(grep -c '^SecRule ' z_logging_suppress_multiline.conf)" != "$(grep -c ',nolog,' z_logging_suppress_multiline.conf)" ]; then 
    echo ' *** WARNING -- Sanity check FAILED ***' 
fi 

# You may comment-out the following line while debugging/maintaining this script, 
# so you can diff what the final sed-commands do. 
# Activate it when you are done, to remove the *.TMP* files: 
# rm *.TMP *.TMP2