https://0d2d0d50.website-1u6.pages.dev/tags/capec/Recent content in CRS Projecthttps://0d2d0d50.website-1u6.pages.dev/20200608/overhauling-the-crs-tags/Mon, 08 Jun 2020 21:13:59 +0200<p>Tagging rules is a great feature of ModSecurity since it allows you to add information to your ModSec alert messages. In my tutorial on <a href="https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/">Embedding ModSec over at netnea.com</a>, I use the tag feature in the default action to add a tag to every alert message from a given service. I do this as follows:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-apacheconf" data-lang="apacheconf"><span style="display:flex;"><span>SecDefaultAction <span style="color:#e6db74">&#34;phase:2,pass,log,tag:&#39;Local Lab Service&#39;&#34;</span> </span></span></code></pre></div><p>One of my customers uses a shortcut URI as the tag. So when an alert pops up, the SoC person can click on the tag, the URI is being expanded (redirection service) and she ends up on a wiki page giving her all the infos about a given service with purpose, architecture, host IDs, security classification and contact information.</p>