skip to navigation
skip to content

modsecurity-exception-factory 0.1.4

A tool that generates ModSecurity exception rules by automatically analyzing ModSecurity audit logs.

ModSecurity Exception Generator is a tool that generates ModSecurity exception rules by automatically analyzing ModSecurity audit logs. This is very useful and almost essential to avoid false positives and rejecting legitimate clients.


pip install modsecurity-exception-generator


Command options


SQL URL of the data store where the ModSecurity audit log parsed data will be stored and loaded from.

Example: ‘sqlite:////tmp/modsecurity-exception-factory.db’.

-i [Optional]

Path to the ModSecurity audit log file to parse.

One can use ‘-‘ as a value for this parameter to read the audit log data from standard input.

-c [Optional]

Path of the optional configuration file.

Basic examples

modsecurity-exception-generator \
    -i /path/to/modsec_audit.log \
    -d "sqlite:////tmp/service.db" \
> modsecurity_crs_15_exceptions.conf
zcat modsec_audit.log.*.gz \
| modsecurity-exception-generator \
    -i - \
    -d "sqlite:////tmp/service.db" \
> modsecurity_crs_15_exceptions.conf


The produced exceptions must be loaded BEFORE the rules they are applied to.

Removing superfluous exceptions

Generating exceptions by simply running the ‘modsecurity-exception-generator’ program, as in the basic examples, might generate some superfluous exception rules. Thus we need some advanced options to obtain smarter results. That’s where the YAML configuration file given using the ‘-c’ option comes in handy.

The YAML configuration file supports the following directives:


Indicates which logs most be ignored by the exception generator.


To ignore any log message produced by the rule with the id 981176.

   rule_id: [981176]

This can also be applied to other variables like ‘host_name(targeted host name), ‘request_filename(targeted url) or ‘payload_container(the variable that matched the rule).


Ignore exceptions that affect less than minimum_occurence_count_threshold log message occurrences.


Sometimes, exceptions rules can have conditions with too many values like the following example.

SecRule REQUEST_FILENAME "@rx ^(/foo_bar|/blabla|/test_2/|...)$" ...

This condition can be ignored by setting maximum_value_count_threshold to a value lesser than the number of values in the regular expression.

Configuration example for the Core Rule Set

    rule_id: [981174, 981176, 981203, 981200, 981201, 981202, 981203, 981204, 981205, 981220]

minimum_occurrence_count_threshold: 1000
File Type Py Version Uploaded on Size
modsecurity-exception-factory-0.1.4.tar.gz (md5) Source 2015-11-30 18KB