Re: [Mod-security-developers] mlogc-batch-load rex problem in section A
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2012-01-02 16:22:42
|
Created MODSEC-282 On Mon, Jan 2, 2012 at 9:57 AM, Breno Silva <bre...@gm...> wrote: > Hi Ebrahim, > > Thanks for your feedback. There was a problem in modsecurity timestamp > math and i was changed in 2.6.3. > > Any chance you send me a patch ? > > Thanks > > Breno > > On Mon, Jan 2, 2012 at 9:41 AM, Ebrahim Khalilzadeh <kha...@au... > > wrote: > >> >> Hi, >> Due to some problems about piping mlogc with apache, i decided to use >> mlogc-batch-load.pl on crontab. I installed modsecurity-apache_2.6.2 and >> it works correctly and generates audit log files like this: >> >> --3f82651b-A-- >> [01/Jan/2012:15:11:28 +031800] 8lbP5n8AAAIAABL0J7gAAAAD 172.20.125.77 >> 22409 172.20.125.126 80 >> --3f82651b-B-- >> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1 >> >> Then i ran mlogc-batch-load.pl which It couldn't send audit logs to >> AuditConsole and it generated some error like this: >> >> [Mon Jan 02 17:41:33 2012] [2] [28961/80d4e50] Invalid entry (failed to >> match regex): waf - - - - \"GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1\" >> 500 602 \"-\" \"-\" - \"-\" >> /20120102/20120102-1714/20120102-171401-xm8Xqn8AAAIAAG9lIs8AAAAD 0 1653 >> md5:e7fe62f1bf231a6993e5623a7b872b61 >> >> I installed modsecurity-apache_2.6.3 and it generated audit log files >> like this: >> >> --cc123a05-A-- >> [02/Jan/2012:17:14:01 +0330] xm8Xqn8AAAIAAG9lIs8AAAAD 172.20.125.77 36872 >> 172.20.125.126 80 >> --cc123a05-B-- >> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1 >> >> i ran mlogc-batch-load.pl and same error was generated. >> >> I found out mlogc-bach-load.pl couldn't parse these audit log correctly >> and fortunately I could find the line that has this problem which is : >> >> if ($sect eq 'A') { >> if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) >> (\S+) (\d+)%) { >> >> The regular expression for matching with my audit logs is not correct. my >> audit logs has time field like [01/Jan/2012:15:11:28 +031800] for >> 2.6.2v and [02/Jan/2012:17:14:01 +0330] for 2.6.3v which non of them >> can match with \[[-\d/: a-zA-Z]{27}\]. I changed above line with below >> and audit logs be sent correctly: >> >> if ($sect eq 'A') { >> #if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) >> (\S+) (\d+)%) { >> if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+) >> (\d+) (\S+) (\d+)%) { >> >> Is it a bug in mlog-batch-load.pl file or a problem in my system >> date/time?! >> >> Best Regards, >> khalilzadeh >> >> >> >> >> -- >> >> >> -- >> >> >> >> ------------------------------------------------------------------------------ >> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex >> infrastructure or vast IT resources to deliver seamless, secure access to >> virtual desktops. With this all-in-one solution, easily deploy virtual >> desktops for less than the cost of PCs and save 60% on VDI infrastructure >> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > > |