mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-10 21:24:56 +03:00
mukul975
2.1 KiB
2.1 KiB
ModSecurity WAF Logging — API Reference
Key ModSecurity Directives
| Directive | Description |
|---|---|
SecRuleEngine On/Off/DetectionOnly |
Enable/disable rule engine |
SecAuditEngine On/Off/RelevantOnly |
Configure audit logging scope |
SecAuditLog /path/to/modsec_audit.log |
Audit log file path |
SecAuditLogParts ABCDEFHZ |
Audit log sections to include |
SecRequestBodyAccess On |
Inspect request bodies |
SecResponseBodyAccess On |
Inspect response bodies |
SecRuleRemoveById <id> |
Disable specific rule by ID |
SecRuleUpdateTargetById <id> "!ARGS:param" |
Exclude parameter from rule |
Audit Log Sections
| Section | Contents |
|---|---|
| A | Audit log header (timestamp, transaction ID) |
| B | Request headers |
| C | Request body |
| E | Response body |
| F | Response headers |
| H | Audit log trailer (rule matches, scores) |
| Z | End of entry marker |
OWASP CRS Rule ID Ranges
| Range | Category |
|---|---|
| 911xxx | Method Enforcement |
| 920xxx | Protocol Enforcement |
| 930xxx | Local File Inclusion |
| 932xxx | Remote Code Execution |
| 941xxx | Cross-Site Scripting (XSS) |
| 942xxx | SQL Injection |
| 944xxx | Java/Spring Attack |
| 949xxx | Inbound Anomaly Score Blocking |
CRS Paranoia Levels
| Level | Description |
|---|---|
| PL1 | Default — low false positives, covers common attacks |
| PL2 | Moderate — adds more patterns, some tuning needed |
| PL3 | High — aggressive detection, significant tuning needed |
| PL4 | Extreme — maximum coverage, heavy tuning required |
Configuration Example
SecRuleEngine DetectionOnly
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABCDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log