-
-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MatchedRules design can be changed to store matches per rule. #183
Comments
Matched Rule is sent to the log callback to generate audit logs, if we do this the user would have to read the matched rule and iterate over the matched data. I think it is possible but we are already far from ModSecurity behavior, they use the log action to instantly write the log, while we mark the rule as "loggable" and in future versions this could change |
We have already seen issues of logs being flooded in modsecurity from multimatch. There is no point in sending many log events for one rule match. Its the rule and any of the matched data that is important. The handling could be left to the users if they want to print each one. |
I think this is a good idea, it can reduce the memory usage of |
Summary
MatchedRules design can be changed to store matches per rule.
Currently every match, especially multiMatch may add many matches. However getting unique rule matches would be an unnecessary extra task.
Storing the matches per rule and adding all matches mapped together would provide a way to do Anomaly Scoring like Modsec and better visualization of matches. It would also reduce memory use by not deduplicating other fields of MatchedRule.
Basic example
If the MatchedRules structure is changed as follows, this will give interesting observation.
Motivation
Better results, handling multi matches on a rules. Anomaly observation.
The text was updated successfully, but these errors were encountered: