ModSecurity rule editor and log analysis
The WAFme component is intended for tailing live audit logs and generate the rules and exceptions to prevent ModSecurity from blocking the regular website/webapp usability.
- /!\ This assumes that the log is free of attacks and malicious payloads.
Tuning the CRS usually will require:
- R1) identify element triggering the rules
- R2) check that the payload in such element is normal not malicious
- R3) evaluate the scope where such element is present
- R4) whitelist such element for the specific rule id within the least possible scope
- R5) update the ruleset to add the exceptions
- R6) add rules to check the whitelisted element contains the expected values
- R7) reload the configuration
Some of the different scopes can be defined as:
- A1) Match of URI + element + payload type validation (regex, type, length, values)
- A2) Match URI + element
- A3) Match element for all URI + payload type validation (regex, type, length, values)
- A4) Match element for all URI
- A5) Match URI
- A6) VHost
- A7) Server