This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description

ModSecurity Exception Generator is a tool that generates ModSecurity exception rules by automatically analyzing ModSecurity audit logs. This is very useful and almost essential to avoid false positives and rejecting legitimate clients.


pip install modsecurity-exception-generator


Command options


SQL URL of the data store where the ModSecurity audit log parsed data will be stored and loaded from.

Example: ‘sqlite:////tmp/modsecurity-exception-factory.db’.

-i [Optional]

Path to the ModSecurity audit log file to parse.

One can use ‘-‘ as a value for this parameter to read the audit log data from standard input.

-c [Optional]

Path of the optional configuration file.

Basic examples

modsecurity-exception-generator \
    -i /path/to/modsec_audit.log \
    -d "sqlite:////tmp/service.db" \
> modsecurity_crs_15_exceptions.conf
zcat modsec_audit.log.*.gz \
| modsecurity-exception-generator \
    -i - \
    -d "sqlite:////tmp/service.db" \
> modsecurity_crs_15_exceptions.conf


The produced exceptions must be loaded BEFORE the rules they are applied to.

Removing superfluous exceptions

Generating exceptions by simply running the ‘modsecurity-exception-generator’ program, as in the basic examples, might generate some superfluous exception rules. Thus we need some advanced options to obtain smarter results. That’s where the YAML configuration file given using the ‘-c’ option comes in handy.

The YAML configuration file supports the following directives:


Indicates which logs most be ignored by the exception generator.


To ignore any log message produced by the rule with the id 981176.

   rule_id: [981176]

This can also be applied to other variables like ‘host_name(targeted host name), ‘request_filename(targeted url) or ‘payload_container(the variable that matched the rule).


Ignore exceptions that affect less than minimum_occurence_count_threshold log message occurrences.


Sometimes, exceptions rules can have conditions with too many values like the following example.

SecRule REQUEST_FILENAME "@rx ^(/foo_bar|/blabla|/test_2/|...)$" ...

This condition can be ignored by setting maximum_value_count_threshold to a value lesser than the number of values in the regular expression.

Configuration example for the Core Rule Set

    rule_id: [981174, 981176, 981203, 981200, 981201, 981202, 981203, 981204, 981205, 981220]

minimum_occurrence_count_threshold: 1000
Release History

Release History


This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
modsecurity-exception-factory-0.1.4.tar.gz (19.1 kB) Copy SHA256 Checksum SHA256 Source Nov 30, 2015

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting