WAF-Log analysieren

How to analyse a core rule set log.

Guide

Based on https://www.oreilly.com/content/how-to-tune-your-waf-installation-to-reduce-false-positives/.

Copy audit log from Docker container

ssh apollo.apland.ch docker cp waf01:/var/log/modsec_audit.log .
scp apollo.apland.ch:modsec_audit.log .

Set alias to get alert messages.

alias melidmsg='grep -o "\[id [^]]*\].*\[msg [^]]*\]" | sed -e "s/\].*\[/] [/" -e "s/\[msg //" | cut -d\  -f2- | tr -d "\]\"" | sed -e "s/(Total .*/(Total ...) .../"'

Get all alerts.

cat modsec_audit.log | melidmsg

Sort and group alerts.

cat modsec_audit.log | melidmsg | sort | uniq -c | sort -n

Grep anomaly alerts

cat modsec_audit.log | grep 980145 | egrep -o "Incoming Anomaly Score: [0-9]+" | cut -b25-

Backlinks:

🔗 Web Application Firewall

📝 Edit on GitHub

Copyright © Mint System GmbH