I do not know if a standard exists for the OWASP rule configuration, but I would like to submit the following:
I Currently use a SIEM system based on OSSIM. There is a plugin module for modsecurity. Since the processing of the mod security error logs can be sent to a SIEM system via apache error log and thus syslog, I am able to retrieve the 403 error messages. While setting up regex to process the error log data for mod security, I've noticed that I've created 3 different regex rules for processing. I would like to suggest a possible standard in log reporting to minimize the number of regex rules needed so that any new rules that are created will automatically fall into a regex standard for processing into as few rules as possible. This will help to insure that all rules, when triggered and captured by a logging system should fall into a pre-defined set of rules to insure capture and data normalization into hopefully any SIEM system. -=Steve
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
