ModSecurity

Hello Jeremy,

Yes. Looks like a bug for me. Looks like very old bug, just checked the
code since 2.5.x.
I will check it tomorrow (later here) and send you a patch for testing.

Thanks

Breno


On Tue, Feb 5, 2013 at 6:46 PM, Jeremy Brock <jbrock@...:

> Hi all,
>
>     I have recently deployed modsecurity 2.7.2 and have come across a
> strange behavior.
>
>     I have defined the SecAuditLogRelevantStatus to only be 500 and 400
> responses, however I am still getting all responses.
>
>     Attached is an example of the audit log output that is sent to
> Auditconsole.  Notice that there is a Response 200 listed.
>
>     I have also attached the Detail results that show the main rule
> message that was triggered.
>
>     Here are my modsecurity.conf settings
>
> # Settings for mlogc remote logging
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
> SecAuditLogParts ABDEFHIJKZ
>
>     When I enter apache2ctl restart I do not see any syntax errors.
>
>     Hope you all have a great day,
>
> ~Jeremy
>
> --
> --
>
> Jeremy Brock
>
> XtremeServices.Net
> Xtreme Services, LLC
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>

Hello Jeremy,

Looks like you need to set SecAction "...,noauditlog,..."

The reason is auditlog action is present by default in the rules. This will
make the engine set the transaction as relevant and will "bypass"
SecAuditLogRelevantStatus.

For example, inserting SecAction before the follow SecRule:

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "403"
SecAuditLogParts ABDEFHIJKZ

SecAction "phase:2,id:1,noauditlog"
SecRule REQUEST_URI "index" "phase:2,id:2,deny"

Will log only status 403.

Thanks

Breno

On Tue, Feb 5, 2013 at 7:56 PM, Breno Silva <breno.silva@...> wrote:

> Hello Jeremy,
>
> Yes. Looks like a bug for me. Looks like very old bug, just checked the
> code since 2.5.x.
> I will check it tomorrow (later here) and send you a patch for testing.
>
> Thanks
>
> Breno
>
>
> On Tue, Feb 5, 2013 at 6:46 PM, Jeremy Brock <jbrock@...:
>
>> Hi all,
>>
>>     I have recently deployed modsecurity 2.7.2 and have come across a
>> strange behavior.
>>
>>     I have defined the SecAuditLogRelevantStatus to only be 500 and 400
>> responses, however I am still getting all responses.
>>
>>     Attached is an example of the audit log output that is sent to
>> Auditconsole.  Notice that there is a Response 200 listed.
>>
>>     I have also attached the Detail results that show the main rule
>> message that was triggered.
>>
>>     Here are my modsecurity.conf settings
>>
>> # Settings for mlogc remote logging
>> SecAuditEngine RelevantOnly
>> SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
>> SecAuditLogParts ABDEFHIJKZ
>>
>>     When I enter apache2ctl restart I do not see any syntax errors.
>>
>>     Hope you all have a great day,
>>
>> ~Jeremy
>>
>> --
>> --
>>
>> Jeremy Brock
>>
>> XtremeServices.Net
>> Xtreme Services, LLC
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>

Thx Breno,

     I modified my modsecurity_crs_10_setup.conf SecDefaultAction to be :

SecDefaultAction "phase:2,pass,log,noauditlog"

     My modsecurity.conf contains :

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^(?:5|4\d[^4])
SecAuditLogParts ABDEFHIJKZ
SecAuditLogType Concurrent
SecAuditLog "|/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf"
SecAuditLogStorageDir /var/log/modsecurity/audit/

     This appears to have resolved the issue.

~Jeremy

--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC

On 2/6/2013 10:50 AM, Breno Silva wrote:
> Hello Jeremy,
>
> Looks like you need to set SecAction "...,noauditlog,..."
>
> The reason is auditlog action is present by default in the rules. This 
> will make the engine set the transaction as relevant and will "bypass" 
> SecAuditLogRelevantStatus.
>
> For example, inserting SecAction before the follow SecRule:
>
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "403"
> SecAuditLogParts ABDEFHIJKZ
>
> SecAction "phase:2,id:1,noauditlog"
> SecRule REQUEST_URI "index" "phase:2,id:2,deny"
>
> Will log only status 403.
>
> Thanks
>
> Breno
>
> On Tue, Feb 5, 2013 at 7:56 PM, Breno Silva <breno.silva@... 
> <mailto:breno.silva@...>> wrote:
>
>     Hello Jeremy,
>
>     Yes. Looks like a bug for me. Looks like very old bug, just
>     checked the code since 2.5.x.
>     I will check it tomorrow (later here) and send you a patch for
>     testing.
>
>     Thanks
>
>     Breno
>
>
>     On Tue, Feb 5, 2013 at 6:46 PM, Jeremy Brock
>     <jbrock@... <mailto:jbrock@...>> wrote:
>
>         Hi all,
>
>             I have recently deployed modsecurity 2.7.2 and have come
>         across a strange behavior.
>
>             I have defined the SecAuditLogRelevantStatus to only be
>         500 and 400 responses, however I am still getting all responses.
>
>             Attached is an example of the audit log output that is
>         sent to Auditconsole.  Notice that there is a Response 200 listed.
>
>             I have also attached the Detail results that show the main
>         rule message that was triggered.
>
>             Here are my modsecurity.conf settings
>
>         # Settings for mlogc remote logging
>         SecAuditEngine RelevantOnly
>         SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
>         SecAuditLogParts ABDEFHIJKZ
>
>             When I enter apache2ctl restart I do not see any syntax
>         errors.
>
>             Hope you all have a great day,
>
>         ~Jeremy
>
>         -- 
>         --
>
>         Jeremy Brock
>
>         XtremeServices.Net
>         Xtreme Services, LLC
>
>
>         ------------------------------------------------------------------------------
>         Free Next-Gen Firewall Hardware Offer
>         Buy your Sophos next-gen firewall before the end March 2013
>         and get the hardware for free! Learn more.
>         http://p.sf.net/sfu/sophos-d2d-feb
>         _______________________________________________
>         mod-security-users mailing list
>         mod-security-users@...
>         <mailto:mod-security-users@...>
>         https://lists.sourceforge.net/lists/listinfo/mod-security-users
>         Commercial ModSecurity Rules and Support from Trustwave's
>         SpiderLabs:
>         http://www.modsecurity.org/projects/commercial/rules/
>         http://www.modsecurity.org/projects/commercial/support/
>
>
>