ModSecurity Breach

ModSecurity Blog

« Looking For One C Programmer and One Java/Web Programmer | Main | Ryan Barnett Is Now Bloggin' »

Why So Many Events?

When you start using ModSecurity 2.0 with the Core Rule Set, you may notice that you get (too) many events. There are two common areas in the Core Rule Set that cause a lot of events: search engine detections and missing HTTP headers.

File "modsecurity_crs_55_marketing.conf" includes rules to detect access by Google, Yahoo and MSN. These rules tend to generate a large number of events. This events are interesting from the marketing point of view, but are not very important from the security point of view. Also, admittedly, neither the audit log, nor the ModSecurity console, display those events in a manner suitable for presenting to marketing guys. So, if those events bother you, you may consider removing this file.

On the other hand, the 2nd source of events, missing HTTP headers, provides good indication of malicious requests. This is the reason that the Core Rule Set checks that a request has a "host", a "user-agent" and an "accept" headers and blocks the requests otherwise. In many systems there are valid requests that do not have those headers. These are usually generated by some automation tool used by the system. A good example are monitoring tools that periodically check that a site is alive and kicking. Such monitoring tools many times issues simple and non standard HTTP request. Therefore we would not want to remove the missing HTTP headers rules, but rather create specific exceptions for the valid request source. In many cases this would be an exception based on a source IP.

The comments to this entry are closed.


November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30


Atom Feed



Recent Entries