Skill

implementing-web-application-logging-with-modsecurity

Configures ModSecurity WAF with OWASP CRS for web app logging, tunes rules to cut false positives, analyzes audit logs for attacks, and adds custom SecRules.

Nginx

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

ModSecurity is an open-source WAF engine that works with Apache, Nginx, and IIS. The OWASP

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Implementing Web Application Logging with ModSecurity

Overview

When to Use

When deploying or configuring implementing web application logging with modsecurity capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Web server (Apache 2.4+ or Nginx) with ModSecurity v3 module
OWASP CRS v4.x installed
Log aggregation infrastructure (ELK, Splunk, or Wazuh)

Steps

Install ModSecurity and configure SecRuleEngine in DetectionOnly mode
Deploy OWASP CRS v4 and set paranoia level (PL1-PL4)
Configure SecAuditEngine for relevant-only logging
Tune false positives with SecRuleRemoveById and rule exclusions
Switch to blocking mode (SecRuleEngine On) after tuning period
Forward audit logs to SIEM for correlation and alerting

Expected Output

ModSecurity: Warning. Pattern match "(?:union\s+select)" [file "/etc/modsecurity/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [severity "CRITICAL"]