-
Notifications
You must be signed in to change notification settings - Fork 0
/
info.txt
74 lines (63 loc) · 3.02 KB
/
info.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
pamsel 1.6.0
(c) 2021.2022 A. Raphael (MIT)
idicnet.de/pamsel
ModSecurity - together with the OWASP core rules - is a powerful web application firewall (WAF)
It protects your server against a wide range of HTTP-attacks (SQL injection, cross-site scripting etc.)
However ModSecurity (like any WAF) produces sometimes false positives.
To eliminate these, you need to tune your configuration and add rule exclusions. (Whitelisting)
It can be a frustrating and time consuming process to inspect the logfiles.
pamsel ("PArse ModSecurity ErrorLog") is a small tool that might help you with this.
(Alas it has no real documentation yet. Maybe sometime...)
$ pamsel --help
pamsel - scans modsecurity logfiles (apache error and modsec audit)
Usage: pamsel OPTIONS
Field display options:
-d date/time
-u requested url
-i rule id
-m modsec message
-t rule tag (only OWASP_CRS/ tags are extracted!)
-s severity
-r referrer IP
-D objected data (cut to first 80 chars. use -A to get full info)
-n consecutive number (for lookup in audit log)
-a unique modsec-id
field output is ordered according to the occurrence of the above options
--def = -ndsimu
--sep SEPARATOR (default is tab)
General options:
-e use current apache-logfiles (error.log and modsec_audit.log) (overwrites other logfile options)
-y use yesterdays logs (error.log.1 and modsec_audit.log.1) (overwrites other logfile options)
-f ERRORLOG if none of -e,-y,-f is given, pamsel reads from stdin/pipe
-F AUDITLOGFILE default is modsec_audit.log
note: take care that the audit-logfile corresponds with your error-log
-v verbose
--skipped show only skipped entries (inverse verbose)
--fulldate show full date (default is cut at first dot)
-l list format (default is csv)
-c dont't show if blocked (anomaly score exceeded)
-x id1,id2,.. exclude rules from parsing
-A NUMBER[-ABCD..|+ABCD..]
list info from audit-log for given entry (number from -n)
-ABCD.. exclude specified audit-sections ("all, except")
+ABCD.. show only the specified audit-sections ("only these")
-V --version version info
-h --help this
Some examples:
sudo ./pamsel -e --def
run pamsel on current logfiles with default options
sudo ./pamsel -e -dimubT
lists all requests and rejections (tab-separated, one per line) with date, rule-id, message and url
sudo ./pamsel -y -im | sort | uniq -c
how often a rule was triggered yesterday
sudo ./pamsel -e -dim -x 920350,930130
exclude rules from listing
sudo ./pamsel -e -nrmu
-n gives every request an unique number...
...which can be used to show the related info in audit-log:
sudo ./pamsel -e -nrmu -A 136
show only audit-sections B and H, to reduce the amount of information:
sudo ./pamsel -e -nrmu -A 136+BH
'-': all, except, '+': only these (A is listed anyway)
sudo ./pamsel -f anold.log --def
parse other logfiles