Dear Mr. Ristic, Dear all,

First of all I thank you all for your time and help that you provided.
Secondly I would like to thank especially Mr. Ristic for his help. It is an honor to speak to people like him. Many thanks again Sir!

I have one more question if I may:

My audit log is FULL (almost 2Megs full) of text like the following:

--b1820656-A--
[29/Dec/2008:23:12:29 +0100] xU3lkMMYTucAAGNDUFwAAAAY 85.114.141.195 2703 195.24.78.232 80
--b1820656-B--
GET /phpmyadmin/main.php HTTP/1.0
Host: 195.24.78.232

The rule Host header is a numeric IP address obviously matches and the audit action is generated.

The above IP 85.114.141.195 appears in my log 304 times and the log is 24hours old!
Also the other IP 195.24.78.232 is the IP of one of the local ifaces.

My question is what the above might mean ?!? Is it necessarily a malicious act (e.g. the  85.114.141.195 is an open proxy) and many people connect through it trying to fetch phpmyadmin (which btw does not exist) or could it be something else normal ??? Does this IP sound familiar to you ?

I thank you so much again for your help and wish you all a healthy and happy new year!

Best Regards
Ioannis

On Tue, Dec 30, 2008 at 4:16 PM, Ivan Ristic <ivan.ristic@gmail.com> wrote:
Hi,

On Tue, Dec 30, 2008 at 1:59 PM, Ioannis Angelopoulos <itxgrp@gmail.com> wrote:
> Dear All,
>
> Greetings from Greece. I am a newbie in mod_security 2.x so please bear with
> me...
> I am trying to understand in detail the different audit log parts.
> For example in my log file I have:
>
> --b1820656-A--
> [29/Dec/2008:23:12:29 +0100] xU3lkMMYTucAAGNDUFwAAAAY 85.114.141.195 2703
> 197.24.69.139 80
>
> What do all these parts mean ? What are the two IP addresses and what the
> number between them represent ?

The tokens on that line are as follows:
 1. Timestamp
 2. Unique transaction ID
 3. Remote IP address
 4. Remote port
 5. Local IP address
 6. Local port


> I tried to search for it in the manual but all it says is that the A part is
> the audit log header and that is mandatory. It also explains the
> --b1820656-A-- part but not what is inside (at least I could not find it).
>
> Is there any extensive documentation on the log format, what the different
> parts mean and if we can modify them ?

Yes, there is. I updated that part of the documentation just a few
weeks ago. It's a separate document and is available in the
repository:

http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/doc/modsecurity2-data-formats.xml?revision=1250

I imagine it will be available as a PDF in one of the future releases.


> It is very important for me as some IPs are asking for some weird things
> from my server.
>
> I thank you all so much for your help
>
> Best regards to all
> Ioannis
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>



--
Ivan Ristic