ModSecurity WAF Integration

Overview

ModSecurity is an open-source web application firewall engine compatible with Apache, Nginx, and IIS. KYRA MDR collects ModSecurity audit logs for web application threat detection. Supports ModSecurity v2 and v3.

Prerequisites

• A KYRA MDR Collector installed and running
• ModSecurity installed on Apache or Nginx
• OWASP Core Rule Set (CRS) or custom rules
• Network connectivity from the web server to the collector

Configuration

Configure ModSecurity audit logging:

modsecurity.conf

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
SecAuditLogParts ABCFHZ

Forward logs via rsyslog:

/etc/rsyslog.d/modsecurity.conf

module(load="imfile")
input(type="imfile" File="/var/log/modsec_audit.log" Tag="modsecurity")
if $syslogtag == 'modsecurity' then @@<collector-ip>:514

For ModSecurity v3 with JSON:

SecAuditLogFormat JSON
SecAuditLog /var/log/modsec_audit.json

Collected Log Types

Log Type	Description	Security Use
Alerts	Rule match and block events	Web attack detection
SQL Injection	SQLi attempt detections	Database attack prevention
XSS	Cross-site scripting detections	Client-side attack prevention
File Inclusion	LFI/RFI attempt detections	Server-side attack prevention
Request Anomaly	Anomaly score threshold events	Behavioral detection
Scanner Detection	Automated scanner detections	Reconnaissance detection

Troubleshooting

No audit logs: Verify SecAuditEngine is set to On or RelevantOnly.

Incomplete log data: Use SecAuditLogParts ABCFHZ to include all relevant sections.

High false positives: Tune the OWASP CRS paranoia level. Start with level 1.

Contact kyra@seekerslab.com for support.