Merge pull request #528 from grooverdan/modsecurity

ENH: add filter for apache-modsecurity

ChangeLog

@@ -50,6 +50,7 @@ code-review and minor additions from Yaroslav Halchenko.
    Daniel Black
    * Added action xarf-login-attack to report formatted attack messages
      according to the XARF standard (v0.2). Close gh-105
+   * Add filter for apache-modsecurity
 
 - Enhancements
   Steven Hiscocks

config/filter.d/apache-modsecurity.conf

@@ -0,0 +1,18 @@
+# Fail2Ban apache-modsec filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s ModSecurity:  (\[.*?\] )*Access denied with code [45]\d\d.*$
+
+ignoreregex = 
+
+# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
+# Author: Daniel Black

config/jail.conf

@@ -342,6 +342,13 @@ logpath  = /var/log/apache*/*error.log
 maxretry = 2
 
 
+[apache-modsecurity]
+
+port     = http,https
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+
 [nginx-http-auth]
 
 ports   = http,https

fail2ban/tests/files/logs/apache-modsecurity

@@ -0,0 +1,2 @@
+# failJSON: { "time": "2013-12-23T13:12:31", "match": true , "host": "173.255.225.101" }
+[Mon Dec 23 13:12:31 2013] [error] [client 173.255.225.101] ModSecurity:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"][tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [hostname "www.mysite.net"] [uri "/"] [unique_id "Urf@f12qgHIAACrFOlgAAABA"]