Hi Breno,

 

> Just added the new variable SDBM_DELETE_ERROR. Could you download the

> trunk, test and give a feedback if it is OK ?

>

I've noticed, that this variable made it to the stable version 2.7.4. I am running

ModSecurity for Apache/2.7.5 and I also received an "Failed deleting collection"

error last night. How can the SDBM_DELETE_ERROR variable help us know, to

troubleshoot this error?

 

Here is the full audit log entry from last night (IP addresses, Cookies, Paths and URLs obfuscated):

 

--781f7f7b-A--

[04/Sep/2013:07:19:49 +0000] UibfDQoABSYAAVbdyBMAAAB5 81.XXX.XXX.XXX 61085 10.XXX.XXX.XXX 80

--781f7f7b-B--

GET /XXXXXXX/XXXXXX-XXXXXX-XXXXX-XXXXX/XXXXXXXX.exe HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Accept-Language: sv

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)

Accept-Encoding: gzip, deflate

Cookie: cbsession2=XXXXXXXXXX; cbsession1=XXXXXXXXXXXXXXX; p0=XXXXXXXXXXX

Connection: Keep-Alive

Host: XXXXXXXXXXXX.com

 

--781f7f7b-F--

HTTP/1.1 200 OK

X-Robots-Tag: noarchive, nofollow, noindex

Content-Disposition: attachment; filename="XXXXXXXXXX.exe"

Last-Modified: Fri, 23 Aug 2013 07:41:04 GMT

Accept-Ranges: bytes

Content-Length: 5034840

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream

 

--781f7f7b-E--

 

--781f7f7b-H--

Message: collection_retrieve_ex: Failed deleting collection (name "ip", key "81.XXX.XXX.XXX_42964ef86cc3b1cc0b86e555f242ce565a9c7141"): Internal error

Stopwatch: 1378279181521039 7637108 (- - -)

Stopwatch2: 1378279181521039 7637108; combined=35935, p1=35675, p2=12, p3=2, p4=2, p5=138, sr=35601, sw=106, l=0, gc=0

Response-Body-Transformed: Dechunked

Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); cb mod_sec ruleset/1.0.1.

Server: Apache

Engine-Mode: "ENABLED"

 

--781f7f7b-K--

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,status:500,auditlog,id:1001,t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"

 

SecRule "&TX:REAL_IP" "@eq 0" "phase:1,status:500,auditlog,id:1004,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"

 

SecAction "phase:1,status:500,auditlog,t:none,id:1000,nolog,pass,setvar:tx.remote_addr=/%{REMOTE_ADDR}/"

 

SecRule "SCRIPT_FILENAME" "@rx /www/XXXXXXXX/XXXXXXXXX/XXXXXXXXXXX/XXXXXXXXXXX.php" "phase:5,status:500,auditlog,chain,t:none,nolog,pass,id:2001,severity:INFO,tag:DoS,setvar:IP.dos_counter=+1,expirevar:IP.dos_counter=60"

#SecRule "IP:dos_counter" "@gt 100" "t:none,setvar:IP.dos_block,setvar:!IP.dos_counter,expirevar:IP.dos_block=60"

 

 

--781f7f7b-Z--

 

Let me know what I can do next to troubleshoot this.

 

 

Thanks

Winfried