Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[appsec] Log all matched rules #3442

Open
LaurenceJJones opened this issue Feb 5, 2025 · 3 comments
Open

[appsec] Log all matched rules #3442

LaurenceJJones opened this issue Feb 5, 2025 · 3 comments
Labels
needs/kind needs/triage

Comments

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Feb 5, 2025
edited
Loading

Currently when using CRS with AppSec you cannot follow the chain of analysis from CRS.

You will see ruleid 901340 as this is the init rule but is not all the rules that matched, if you change the log_level to debug you can see the debug logs from coraza, however, if you had one false trigger and didnt have the debug logs at the time then it can be a mystery of how to replicate or even debug the rule chain.

There 2 ways we can do this either:

  • Log all matched rules no matter if vpatch or CRS.
  • Allow the user to define a log file which outputs modsecurity formatted logs.

Option 1 would be best for "native" compatibility, however, this can cause a lot of log lines in our crowdsec.log file, so maybe allowing them to have another option might not be so bad.
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 5, 2025

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 5, 2025

@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind bug
  • /kind packaging
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@LaurenceJJones
Copy link
Contributor Author

A workaround for now could be to use seclang audit engine

SecAuditEngine RelevantOnly
SecAuditLog /var/log/crowdsec_coraza.log
SecAuditLogParts ABCFHZ
SecAuditLogType concurrent
SecAuditLogRelevantStatus ^(?:5|4(?!04))

@LaurenceJJones LaurenceJJones mentioned this issue Feb 11, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs/kind needs/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LaurenceJJones