Re: [mod-security-users] Logging
Brought to you by:
victorhora,
zimmerletw
From: Marc S. <mar...@ap...> - 2008-06-06 07:54:26
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> You're right, I tested with an empty file :-(<br> <br> The following is working correctly:<br> SecRule FILES "\.conf$" "chain,capture,setvar:tx.pattern=%{TX.0},msg:'Invalid filename <%{TX.fname}>, pattern=<%{TX.pattern}>'" <br> SecRule FILES "^.+$" "capture,setvar:tx.fname=%{TX.0}"<br> <br> It only adds filenames that trigger an error.<br> <div class="moz-signature"><span style="color: black;"><br> <b><i>Marc Stern</i></b><br> Senior Consultant - Security Group Head<br> Approach Belgium - <a href="http://www.approach.be">http://www.approach.be</a></span></div> <br> Ivan Ristic wrote: <blockquote cite="mid:1f9...@ma..." type="cite"> <pre wrap="">How does that help? I can see that you are reconfiguring audit logging to log the original content (part C), but wouldn't that get the entire files? As an alternative, you can try something like: SecRule FILES "(^.+$)" "log,pass,capture,msg:'Filenaame %{TX.1}'" The logged messages should contain files' names. But this is better solved on the ModSecurity level. On Thu, Jun 5, 2008 at 2:36 PM, Marc Stern <a class="moz-txt-link-rfc2396E" href="mailto:mar...@ap..."><mar...@ap...></a> wrote: </pre> <blockquote type="cite"> <pre wrap="">You can solve the problem by adding the following to your filtering directive: "ctl:auditLogParts=-I,ctl:auditLogParts=+C" Ex: SecRule FILES "\.conf$" "phase:2,ctl:auditLogParts=-I,ctl:auditLogParts=+C" -- Marc Stern Senior Consultant - Security Group Head Approach Belgium - <a class="moz-txt-link-freetext" href="http://www.approach.be">http://www.approach.be</a> </pre> <blockquote type="cite"> <pre wrap="">In order to not have complete files (binary) in my log, I use "SecAuditLogParts ABIFHZ"; I do not log the "C" part, as it contains the file content. However, when doing this, I do not see the uploaded file name in the log, like with "C": Content-Disposition: form-data; name="userfile"; filename="..." Content-Type: application/msword Wouldn't it be a good idea to add these two lines in the "I" part ? Is there any work-around ? </pre> </blockquote> <pre wrap=""> ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. <a class="moz-txt-link-freetext" href="http://sourceforge.net/services/buy/index.php">http://sourceforge.net/services/buy/index.php</a> _______________________________________________ mod-security-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a> <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/mod-security-users">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a> </pre> </blockquote> <pre wrap=""><!----> </pre> </blockquote> </body> </html> |