How to Integrate C-Rex Into Your Environment Successfully
Passing mod_security log information from other tools
Instead of manually pasting log messages into C-Rex, they can be passed as URL parameters in these formats:
- as a URL-encoded string in the
logline
parameter: example - as a base64-encoded string in the
logline_base64
parameter: example
This allows creating hyperlinks directly into C-Rex from a wide range of applications like Splunk, Elastic/Kibana, QRadar, Sentinel, you name it.
Sending generated rules to other tools
To integrate C-Rex with your CI/CD pipeline or other tools, the generated rules can be submitted as REST messages from withing C-Rex. To do so, provide these parameters to the Docker container:
WEBHOOK_1_URL=https://your-api.example/update-modsec-rules.php
WEBHOOK_1_LABEL=Submit to my API
This will add an additonal button “Submit to my API” to the result area. Clicking it will perform a HTTP POST to the specified URL with a JSON body in the following format:
{
"input": "[2016-11-03 22:54:45.858724] [-:error] - - [client 127.0.0.1]... (complete Input text)",
"rule": "# ModSec Rule Exclusion: 942410 : SQL Injection Attack\nSecRuleRemoveById 942410",
"ruleid": 1000,
"timestamp": "2021-03-25T09:31:12.253Z"
"parsed": {
"id": "942410",
"msg": "SQL Injection Attack",
"data": "Matched Data: union select found within ARGS:keys: union select from users",
"file": "/apache/conf/owasp-modsecurity-crs-3.0.0-rc1/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf",
... (more attributes, as shown in the Parsed Log Message area)
},
}
A minimal example to process this request in PHP could be
<?php
# File update-modsec-rules.php
header('Access-Control-Allow-Origin: your-crex.example');
header('Access-Control-Allow-Methods: GET, POST');
header("Access-Control-Allow-Headers: X-Requested-With, Content-Type");
$data = json_decode(file_get_contents('php://input'), true);
print_r($data);
# do something with $data....
?>
Troubleshooting
REST API integration is still very limited, but we are interested to expand this together with our users. Currently, the following limitations apply:
- only the POST method is supported
- only one WEBHOOK is supported
- the JSON body can’t yet be customized
Please contact our support if you need assistance with integration.