# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # Create an audit log of a successful Authentication. # # We also set the username in the Session and User collections. This allows # for showing the UserID associated with the SESSIONID in any alerts generated. # # Must review the ModSecurity audit log data to review what a successful auth attempt # looks like and then customize this template ruleset for it. # #SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,nolog,auditlog,msg:'Successful Authentication Attempt.',logdata:'Username - %{args.userid}'" # SecRule REQUEST_METHOD "@streq POST" "chain,t:none" # SecRule ARGS:event "@streq LOGON" "chain,t:none" # SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" # SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=WELCOME" "chain,t:none" # SecRule ARGS:userid ".*" "t:none,setvar:session.username=%{args.userid},setuid:%{args.userid},setvar:session.successful_auth=1" # # Create an alert when a user fails authenticating. # # Must review the ModSecurity audit log data to review what a failed auth attempt # looks like and then customize this template ruleset for it. # #SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,log,severity:'2',msg:'Failed Authentication Attempt.',logdata:'Username - %{args.userid}'" # SecRule REQUEST_METHOD "@streq POST" "chain,t:none" # SecRule ARGS:event "@streq LOGON" "chain,t:none" # SecRule RESPONSE_STATUS "@streq 302" "chain,t:none" # SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=ERROR&ErrorDesc=Invalid User ID/Password Please try again." "t:none"