ModSecurity

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

Splunk for ModSecurity provides searches, reports and dashboards for the famous apache module ModSecurity from Trustwave SpiderLabs.

Splunk is the perfect solution to monitor your log files and ModSecurity is the ultimate apache module to secure your web application.

What can Splunk for ModSecurity do for you?

1. Overview dashboard with
   • Denied by Clientip
   • Denied by host
   • Denied outbound gauge
   • Alert trend
2. Event dashboard with
   • Denied by event type
   • Count of outbound blocking
   • Count of total events
   • Count of clientip blocked
3. Geographical location of ModSecurity events by Google Maps and amMap
4. Event search form
5. Saved searches
   • Top clientip block
   • Top country block

And more to come in next release.

Dependencies

This app uses amMap to create flash maps, Maxmind to do local geo mapping and Sideview utils.

• Visit amMap
• Download Maxmind
• Download SideView Utils
• Google Maps

This app is developed for the latest ModSecuity ruleset 2.2.3 and ModSecurity 2.6.3

"ModSecurity for Apache is a product developed by Trustwave's SpiderLabs Team <<https://www.trustwave.com/spiderLabs.php>> and made available under an open source licence. SpiderLabs is engaged to popularize web application firewall technologies and make them widely accessible."

• Visit ModSecurity
• Commercial rules
• Download free CRS rules

Installation

Download the app and extract the .gz under your $SPLUNK_HOME/etc/apps directory on your search head or install within the manager.
Restart your Splunk instance

Configuration

Depending on your infrastructure you may need to change source type, index and mapping of your clientip.

1. If you have a separated index server move the props.conf to the indexing servers.
2. The default config assumes that your modsec_audit.log file has the sourcetype "modsec_audit" and that your indexing this log to the main index. If this is not the case you need to change the following configuration so it matches your environment.
   • In "spunk -> Manager -> Advanced search -> Search macros" change the following stanzas.
   • modsec_index -> index="your indexes"
   • modsec_src -> sourcetype="your modsec sourcetype name"
3. If your ModSecurity apache server is behind a load balancer the real ip will be in a x-forwarded-for field the default config assumes this is the case, if you don't have x-forwarded-for in your modsec logs you need to change an alias for clientip.
   • In "spunk -> Manager -> Fields -> Field aliases -> modsec_src : FIELDALIAS-real_ip" change from "xforwardedfor = clientip" to "srcip = clientip"

Licenses

Splunk for ModSecurity uses third party components

• MaxMind GeoLite City
• amMap