Excellent points and I agree. I believe the key for us to look at is to standardize the ordering of the rule actions.
Can you please send me some example alerts for your 3 regexes? -- Ryan Barnett Researcher Lead Trustwave - SpiderLabs On Aug 9, 2012, at 5:30 PM, "Canell, Stephen E (2240)" <stephen.e.can...@jpl.nasa.gov> wrote: > I do not know if a standard exists for the OWASP rule configuration, but I > would like to submit the following: > > I Currently use a SIEM system based on OSSIM. There is a plugin module for > modsecurity. Since the processing of the mod security error logs can be sent > to a SIEM system via apache error log and thus syslog, I am able to retrieve > the 403 error messages. > > While setting up regex to process the error log data for mod security, I've > noticed that I've created 3 different regex rules for processing. > > I would like to suggest a possible standard in log reporting to minimize the > number of regex rules needed so that any new rules that are created will > automatically fall into a regex standard for processing into as few rules as > possible. This will help to insure that all rules, when triggered and > captured by a logging system should fall into a pre-defined set of rules to > insure capture and data normalization into hopefully any SIEM system. > > -=Steve > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
