Re: [mod-security-users] binary data in log
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-11-08 16:46:00
|
Nick, Two questions for you -=20 1) What is your concern with binary data? Are you concerned about it interacting with your audit log viewer? 2) What do you have the SecAuditEngine set to? Is it set to On? Are you audit logging everything? Assuming that you have this set to On, then it doesn't really matter if these requests trigger another rule or not, you would still create an audit log entry. So, in this scenario, you could create the following rule to run in phase:5 (logging) to remove the request body portion of the request just prior to creating the actual audit log file - SecRule REQUEST_HEADERS:Content-Type "application/vnd.svn-svndiff" "phase:5,t:none,pass,ctl:auditLogParts=3D-C" Keep in mind, however, that there is a potential for log evasions here. All of the rules would still work and block, etc... but the audit log would not report any data in the request body portions of the logs. Really this just makes it a bit more difficult to validate rules that trigger on the request body/ARGS data. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 --[ Upcoming Webcast - WASC Honeypot Update ]-- Wed, November 14th - 8:30 am, Pacific DT http://www.breach.com/resources/webinars.html > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Nick Gearls > Sent: Thursday, November 08, 2007 10:34 AM > To: mod...@li... > Subject: [mod-security-users] binary data in log >=20 > I found the following problem in 2.1.2: binary body (Content-Type: > application/vnd.svn-svndiff) is inserted in the log as binary. > How to fix this ? > Do we have to add the mime-type in the conf file ? >=20 > The log follows >=20 > Thanks, >=20 > Nick >=20 >=20 > --6737550c-B-- > PUT > /svn/Arval/!svn/wrk/a946b5e8-3c7f-314d-b962- > 5e92a76d6aa9/docs/docroot/technical%20design/common/model/Model%20attrib ut > e%20details.xls > HTTP/1.1 > Host: ... > User-Agent: SVN/1.4.5 (r25188) neon/0.26.3 > Connection: TE > TE: trailers > Content-Type: application/vnd.svn-svndiff > X-SVN-Base-Fulltext-MD5: df09846402049fc5f2a39350cf54f13a > X-SVN-Result-Fulltext-MD5: bd85833c18dc7ae9b80f3f49f2e0174b > Content-Length: 59648 > Authorization: Basic bWFuaXJhamEucjphcm1hbmkzMw=3D=3D >=20 > --6737550c-C-- > SVN {binary data} >=20 > --6737550c-F-- > HTTP/1.1 204 No Content > Content-Length: 0 > Content-Type: text/plain >=20 >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |