Skill

implementing-web-application-logging-with-modsecurity

From asi

Configures ModSecurity WAF with OWASP CRS for web application logging, tunes rules to reduce false positives, analyzes audit logs for attacks, and implements custom SecRules.

Nginx

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

ModSecurity is an open-source WAF engine that works with Apache, Nginx, and IIS. The OWASP

SKILL.md

Similar Skills

implementing-web-application-logging-with-modsecurity

5.9k

Configures ModSecurity WAF with OWASP CRS for web app logging, tunes rules to cut false positives, analyzes audit logs for attacks, and adds custom SecRules.

3 files

cybersecurity-skills

implementing-web-application-logging-with-modsecurity

Configures ModSecurity WAF with OWASP CRS for web app logging, tunes rules to reduce false positives, analyzes audit logs for attacks, and implements custom SecRules for app-specific threats.

3 files

cybersecurity-skills-zh

implementing-cloud-waf-rules

Deploys and tunes WAF rules on AWS WAF, Azure WAF, and Cloudflare to protect cloud apps against OWASP Top 10, with managed/custom rules, rate limiting, bot management, and false positive reduction via logging. Use for API security, brute force defense, and compliance.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Implementing Web Application Logging with ModSecurity

Overview

ModSecurity is an open-source WAF engine that works with Apache, Nginx, and IIS. The OWASP Core Rule Set (CRS) provides generic attack detection rules covering SQL injection, XSS, RCE, LFI, and other OWASP Top 10 attacks. ModSecurity logs full request/response data in audit logs for forensic analysis and generates alerts that feed into SIEM platforms.

When to Use

When deploying or configuring implementing web application logging with modsecurity capabilities in your environment

When establishing security controls aligned to compliance requirements

When building or improving security architecture for this domain

When conducting security assessments that require this implementation

Prerequisites

Web server (Apache 2.4+ or Nginx) with ModSecurity v3 module

OWASP CRS v4.x installed

Log aggregation infrastructure (ELK, Splunk, or Wazuh)

Steps

Install ModSecurity and configure SecRuleEngine in DetectionOnly mode

Deploy OWASP CRS v4 and set paranoia level (PL1-PL4)

Configure SecAuditEngine for relevant-only logging

Tune false positives with SecRuleRemoveById and rule exclusions

Switch to blocking mode (SecRuleEngine On) after tuning period

Forward audit logs to SIEM for correlation and alerting

Expected Output

ModSecurity: Warning. Pattern match "(?:union\s+select)" [file "/etc/modsecurity/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [severity "CRITICAL"]