Re: [mod-security-users] Logging
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Logging
|
From: Marc S. <mar...@ap...> - 2008-06-06 07:54:26
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
You're right, I tested with an empty file :-(<br>
<br>
The following is working correctly:<br>
SecRule FILES "\.conf$"
"chain,capture,setvar:tx.pattern=%{TX.0},msg:'Invalid filename
<%{TX.fname}>, pattern=<%{TX.pattern}>'" <br>
SecRule FILES "^.+$" "capture,setvar:tx.fname=%{TX.0}"<br>
<br>
It only adds filenames that trigger an error.<br>
<div class="moz-signature"><span style="color: black;"><br>
<b><i>Marc Stern</i></b><br>
Senior Consultant - Security Group Head<br>
Approach Belgium - <a href="http://www.approach.be">http://www.approach.be</a></span></div>
<br>
Ivan Ristic wrote:
<blockquote
cite="mid:1f9...@ma..."
type="cite">
<pre wrap="">How does that help? I can see that you are reconfiguring audit logging
to log the original content (part C), but wouldn't that get the entire
files?
As an alternative, you can try something like:
SecRule FILES "(^.+$)" "log,pass,capture,msg:'Filenaame %{TX.1}'"
The logged messages should contain files' names.
But this is better solved on the ModSecurity level.
On Thu, Jun 5, 2008 at 2:36 PM, Marc Stern <a class="moz-txt-link-rfc2396E" href="mailto:mar...@ap..."><mar...@ap...></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">You can solve the problem by adding the following to your filtering
directive:
"ctl:auditLogParts=-I,ctl:auditLogParts=+C"
Ex: SecRule FILES "\.conf$"
"phase:2,ctl:auditLogParts=-I,ctl:auditLogParts=+C"
--
Marc Stern
Senior Consultant - Security Group Head
Approach Belgium - <a class="moz-txt-link-freetext" href="http://www.approach.be">http://www.approach.be</a>
</pre>
<blockquote type="cite">
<pre wrap="">In order to not have complete files (binary) in my log, I use
"SecAuditLogParts ABIFHZ"; I do not log the "C" part, as it contains
the file content.
However, when doing this, I do not see the uploaded file name in the
log, like with "C":
Content-Disposition: form-data; name="userfile"; filename="..."
Content-Type: application/msword
Wouldn't it be a good idea to add these two lines in the "I" part ?
Is there any work-around ?
</pre>
</blockquote>
<pre wrap="">
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
<a class="moz-txt-link-freetext" href="http://sourceforge.net/services/buy/index.php">http://sourceforge.net/services/buy/index.php</a>
_______________________________________________
mod-security-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/mod-security-users">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
</body>
</html>
|