Miles,

Just change the location of your open command to point to your Apache error_log like this –

 

open STDERR, ">>/path/to/apache/logs/error_log";

 

Now, once httpd-guardian takes action, you will see entries like this in your error_log file –

 

httpd-guardian: IP address HASH(0x92e08d0) reached the 1 min threshold (speed = 2.76712328767123 req/sec, threshold = 0.01 req/sec)

httpd-guardian: Executing: /usr/bin/logger DoS Attack Identified from 127.0.0.1

 

The 2nd line above is from my own “test” configuration where I am just using logger to create a Syslog alert and not actually blackholing the client on the firewall.

 

# If defined, execute this command when a threshold is reached

# block the IP address for one hour.

# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";

# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com";

my $PROTECT_EXEC;

 

# For testing only:

# $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600";

$PROTECT_EXEC = "/usr/bin/logger DoS Attack Identified from %s";

 

The point is that a message will be generated when httpd-guardian identifies a client that has gone over your defined threshold of requests/time interval and when it executes a responsive action.

 

Hope this helps.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

 

--------------

Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:

http://www.breach.com/webinars.asp

--------------

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Miles Crawford
Sent: Friday, March 30, 2007 5:52 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] httpd-guardian errors not in error_log?

 


Hey folks, I'm playing with using mod_security and httpd-guardian to protect against scripting and automation.

httpd-guardian is configured like:

SecGuardianLog "|/usr/local/bin/httpd-guardian"

I think I'm off to a great start, the alerts are being triggered and so forth, but I get no httpd-guardian messages in the apache error_log.

Added the line:

open STDERR, ">>/tmp/hg_log";

at the top of the httpd-guardian script, and the messages all show up just fine in hg_log.  I was hoping to have them show alongside the rest of the Apache error_log, and that seems to be what the documentation suggests will happen.  Any advice?

I'm using:

ModSecurity for Apache 2.1.0
Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2 mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.8
Rev 1.6 of httpd-guardian from the sourceforge CVS site

Thanks, and let me know if I can provide any other info that might help.
-Miles