How to Integrate C-Rex Into Your Environment Successfully

Passing mod_security log information from other tools

Instead of manually pasting log messages into C-Rex, they can be passed as URL parameters in these formats:

  • as a URL-encoded string in the logline parameter: example
  • as a base64-encoded string in the logline_base64 parameter: example

This allows creating hyperlinks directly into C-Rex from a wide range of applications like Splunk, Elastic/Kibana, QRadar, Sentinel, you name it.

Sending generated rules to other tools

To integrate C-Rex with your CI/CD pipeline or other tools, the generated rules can be submitted as REST messages from withing C-Rex. To do so, provide these parameters to the Docker container:

  • WEBHOOK_1_URL=https://your-api.example/update-modsec-rules.php
  • WEBHOOK_1_LABEL=Submit to my API

This will add an additonal button “Submit to my API” to the result area. Clicking it will perform a HTTP POST to the specified URL with a JSON body in the following format:

{
    "input": "[2016-11-03 22:54:45.858724] [-:error] - - [client 127.0.0.1]... (complete Input text)",
    "rule": "# ModSec Rule Exclusion: 942410 : SQL Injection Attack\nSecRuleRemoveById 942410",
    "ruleid": 1000,
    "timestamp": "2021-03-25T09:31:12.253Z"
    "parsed": {
        "id": "942410",
        "msg": "SQL Injection Attack",
        "data": "Matched Data: union select found within ARGS:keys: union select from users",
        "file": "/apache/conf/owasp-modsecurity-crs-3.0.0-rc1/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
        ... (more attributes, as shown in the Parsed Log Message area)
    },
}

A minimal example to process this request in PHP could be

<?php
  # File update-modsec-rules.php
  header('Access-Control-Allow-Origin: your-crex.example');
  header('Access-Control-Allow-Methods: GET, POST');
  header("Access-Control-Allow-Headers: X-Requested-With, Content-Type");

  $data = json_decode(file_get_contents('php://input'), true);
  print_r($data);
  # do something with $data....
?>

Troubleshooting

REST API integration is still very limited, but we are interested to expand this together with our users. Currently, the following limitations apply:

  • only the POST method is supported
  • only one WEBHOOK is supported
  • the JSON body can’t yet be customized

Please contact our support if you need assistance with integration.