ModSecurity WAF Integration
Overview
ModSecurity is an open-source web application firewall engine compatible with Apache, Nginx, and IIS. KYRA MDR collects ModSecurity audit logs for web application threat detection. Supports ModSecurity v2 and v3.
Prerequisites
- A KYRA MDR Collector installed and running
- ModSecurity installed on Apache or Nginx
- OWASP Core Rule Set (CRS) or custom rules
- Network connectivity from the web server to the collector
Configuration
Configure ModSecurity audit logging:
SecAuditEngine RelevantOnlySecAuditLogRelevantStatus "^(?:5|4(?!04))"SecAuditLogType SerialSecAuditLog /var/log/modsec_audit.logSecAuditLogParts ABCFHZForward logs via rsyslog:
module(load="imfile")input(type="imfile" File="/var/log/modsec_audit.log" Tag="modsecurity")if $syslogtag == 'modsecurity' then @@<collector-ip>:514For ModSecurity v3 with JSON:
SecAuditLogFormat JSONSecAuditLog /var/log/modsec_audit.jsonCollected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Alerts | Rule match and block events | Web attack detection |
| SQL Injection | SQLi attempt detections | Database attack prevention |
| XSS | Cross-site scripting detections | Client-side attack prevention |
| File Inclusion | LFI/RFI attempt detections | Server-side attack prevention |
| Request Anomaly | Anomaly score threshold events | Behavioral detection |
| Scanner Detection | Automated scanner detections | Reconnaissance detection |
Troubleshooting
No audit logs: Verify SecAuditEngine is set to On or RelevantOnly.
Incomplete log data: Use SecAuditLogParts ABCFHZ to include all relevant sections.
High false positives: Tune the OWASP CRS paranoia level. Start with level 1.
Contact kyra@seekerslab.com for support.