Re: [mod-security-users] Logging for every transation
Brought to you by:
victorhora,
zimmerletw
From: Jonas S. <rs...@gm...> - 2012-11-14 17:31:11
|
I had already enabled this section, I took it out because it was logging a lot of rules. Enabling it again, bellow is the log in a normal transaction. Did I do something wrong about modsecurity configuration? --b6c9f05f-A-- [14/Nov/2012:15:13:54 --0200] UKPRUn8AAQEAAEgkA8AAAAAB 192.168.1.2 43177 192.168.1.7 80 --b6c9f05f-B-- GET /dvwa/vulnerabilities/sqli/?id=2&Submit=Submit HTTP/1.1 Host: jmeter User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://jmeter/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit Cookie: security=high; PHPSESSID=2t9johjkak3k35vuhntdpkrqk1 --b6c9f05f-F-- HTTP/1.1 200 OK X-Powered-By: PHP/5.3.2-1ubuntu4.15 Expires: Tue, 23 Jun 2009 12:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1305 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 --b6c9f05f-H-- Message: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. Message: Unable to retrieve collection (name "ip", key "192.168.1.2_c0d6688b82da38d29f6f86c5af8096b8415ced47"). Use SecDataDir to define data directory first. Apache-Handler: application/x-httpd-php Stopwatch: 1352913234284251 25776 (- - -) Stopwatch2: 1352913234284251 25776; combined=7151, p1=359, p2=6532, p3=4, p4=219, p5=36, sr=94, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.7.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.6. Server: Apache/2.2.14 (Ubuntu) Engine-Mode: "ENABLED" --b6c9f05f-K-- SecAction "phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass" SecAction "phase:1,id:900002,t:none,setvar:tx.inbound_anomaly_score_level=5,nolog,pass" SecAction "phase:1,id:900003,t:none,setvar:tx.outbound_anomaly_score_level=4,nolog,pass" SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass" SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass" SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass" SecRule "&TX:REAL_IP" "@eq 0" "phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},nolog,pass" SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,msg:'GET or HEAD Request with Body Content.',severity:2,id:960011,ver:OWASP_CRS/2.2.6,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain" #SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0?$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:1,log,chain,rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:5" #SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,t:none,block,msg:'Request Missing an Accept Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10" #SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,chain,rev:1,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,t:none,block,msg:'Request Has an Empty Accept Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT" #SecRule "REQUEST_HEADERS:Accept" "@rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,log,chain,t:none,block,msg:'Too many arguments in request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" #SecRule "&ARGS" "@gt %{tx.max_num_args}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,log,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/" #SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{ rule.id }-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,id:981133,rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,id:981133,rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK" SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,rev:2,ver:OWASP_CRS/2.2.6,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK" --b6c9f05f-Z-- Thanks, Jonas 2012/11/14 Ryan Barnett <RBa...@tr...> > If you enable section "K" in your SecAuditLogParts config, you will be > able to review it in the audit log to see which rule matches occurred. > This may help to identify if there is a rule somewhere that is turning the > SecAuditEngine to On or if another rule matches. > > -- > Ryan Barnett > Lead Security Researcher > Trustwave – SpiderLabs > > From: Jonas Stein <rs...@gm...> > Date: Wednesday, November 14, 2012 11:57 AM > To: "mod...@li..." < > mod...@li...> > Subject: [mod-security-users] Logging for every transation > > Hello List! > > Why every request(being or not a threat) is logged in the log? > My configuration is as follow: > > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?:04))" > SecAuditLogParts ABJDFHZ > > Thanks, > Jonas > > > ------------------------------ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > |