Comments on: Using Modsec2sguil for HTTP transaction logging http://www.inliniac.net/blog/2007/08/15/using-modsec2sguil-for-http-transaction-logging.html Everything inline. Sat, 22 Nov 2008 09:19:56 +0000 http://wordpress.org/?v=2.6.3 By: Ryan Barnett http://www.inliniac.net/blog/2007/08/15/using-modsec2sguil-for-http-transaction-logging.html#comment-7255 Ryan Barnett Thu, 16 Aug 2007 20:20:40 +0000 http://www.inliniac.net/blog/2007/08/15/using-modsec2sguil-for-http-transaction-logging.html#comment-7255 This is a great idea from a forensic/IR perspective. Any time a valid alert is identified and you start the IR process, the first thing that customers ask is "What else did this person do?" Without the full audit trail of HTTP transactions, you have no visibility into what they did before or after the alert. This will allow you to quickly do session reconstruction by simply querying for the IP address. Better yet, you could query based on a sessionid/cookie value to uniquely rebuild sessions. For this to work, however, it seems that the agent script would need to be able to parse the data into proper fields. It is true though that there is a performance hit when you set the modsecurity audit engine to on (meaning log everything) vs. what most people use which is the relevantonly setting (which will only generate an audit log entry when a rule matches). There are some optimizations that could be made to lighten the load somewhat such as to filter out "static" content requests for images. Even with some performance hurdles, this is exciting stuff :) This is a great idea from a forensic/IR perspective. Any time a valid alert is identified and you start the IR process, the first thing that customers ask is “What else did this person do?” Without the full audit trail of HTTP transactions, you have no visibility into what they did before or after the alert. This will allow you to quickly do session reconstruction by simply querying for the IP address. Better yet, you could query based on a sessionid/cookie value to uniquely rebuild sessions. For this to work, however, it seems that the agent script would need to be able to parse the data into proper fields.

It is true though that there is a performance hit when you set the modsecurity audit engine to on (meaning log everything) vs. what most people use which is the relevantonly setting (which will only generate an audit log entry when a rule matches). There are some optimizations that could be made to lighten the load somewhat such as to filter out “static” content requests for images.

Even with some performance hurdles, this is exciting stuff :)

]]> By: VictorJ http://www.inliniac.net/blog/2007/08/15/using-modsec2sguil-for-http-transaction-logging.html#comment-7241 VictorJ Thu, 16 Aug 2007 01:46:07 +0000 http://www.inliniac.net/blog/2007/08/15/using-modsec2sguil-for-http-transaction-logging.html#comment-7241 The extra information is indeed what I had in mind. What this approach would have in advance above the normal webserver logs, is that request headers, response headers and the post payload are also available in the event Sguil would receive. The extra information is indeed what I had in mind. What this approach would have in advance above the normal webserver logs, is that request headers, response headers and the post payload are also available in the event Sguil would receive.

]]> By: Richard Bejtlich http://www.inliniac.net/blog/2007/08/15/using-modsec2sguil-for-http-transaction-logging.html#comment-7228 Richard Bejtlich Wed, 15 Aug 2007 19:58:01 +0000 http://www.inliniac.net/blog/2007/08/15/using-modsec2sguil-for-http-transaction-logging.html#comment-7228 Cool, so now Sguil can accept Web logs in addition to Web security events. :) I'm all for extra information if your setup can handle it. Exporting Web logs via another method is usually preferred, I imagine? Cool, so now Sguil can accept Web logs in addition to Web security events. :) I’m all for extra information if your setup can handle it. Exporting Web logs via another method is usually preferred, I imagine?

]]>