Ha… Voodoo indeed.  Yeah, I have my Apache admin trouble-shooting cheat sheet pinned up here my office.  Step 4 is to shutdown/restart, while Step 5 entails some chanting and burning the lint ball that I cleaned off my computer screen in a sacrifice to the Apache Gods J

 

Seriously though, perhaps you did a “graceful” restart instead of just a “restart”?  With graceful, your existing Apache child processes would not re-read the config settings until after they processed their requests.  This means that if you are the only one testing Apache and you aren’t receiving any other traffic, you may end up with a mix of httpd child process with different configs.

 

Glad to hear it is working.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 


From: Frank Misa [mailto:frankmisa@hotmail.com]
Sent: Wednesday, June 27, 2007 1:29 PM
To: Ryan Barnett; mod-security-users@lists.sourceforge.net; Christian Bockermann
Subject: RE: [mod-security-users] Basic help interpreting concurrent log file format

 


VOODOO I Tell you....

I've cleared the logs, restarted the server and now I'm getting the expected meta-data links in the index log file:
See attached.....

The only thing I think can explain this is a failure to restart the apache/modsecurity2 service after changing configuration.
I know I restarted -- but in anycase -- this part of it seems to be working now....

Thanks very much...
Frank




Subject: RE: [mod-security-users] Basic help interpreting concurrent log file format
Date: Wed, 27 Jun 2007 12:57:47 -0400
From: Ryan.Barnett@Breach.com
To: frankmisa@hotmail.com; mod-security-users@lists.sourceforge.net; chris@jwall.org

The attached log file is in the Serial format.  Verify your SecAuditLogType directive to ensure that it is set to Concurrent.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 


From: Frank Misa [mailto:frankmisa@hotmail.com]
Sent: Wednesday, June 27, 2007 12:52 PM
To: Ryan Barnett; mod-security-users@lists.sourceforge.net; Christian Bockermann
Subject: RE: [mod-security-users] Basic help interpreting concurrent log file format

 

Hi Ryan,

Looks like audit payload info. ? but that's all I see....
Attached is a snippet from my index file..... (the rest of the log is similar) does it look right to you ?

From: modsec_audit.log
See attached text file...

Thanks
Frank

 


Subject: RE: [mod-security-users] Basic help interpreting concurrent log file format
Date: Wed, 27 Jun 2007 12:43:38 -0400
From: Ryan.Barnett@Breach.com
To: frankmisa@hotmail.com; mod-security-users@lists.sourceforge.net; chris@jwall.org

When you switch to Concurrent logging, the index file should only contain meta-data pointers to the actual log files.  The entries should look similar to this –

 

www.bankdemo.com 127.0.0.1 - - [07/Mar/2007:10:23:36 --0500] "POST /Bloan.asp HTTP/1.1" 404 207 "-" "-" xjcud8CoD4QAAESBlSMAAAAB "-" /20070307/20070307-1023/20070307-102336-xjcud8CoD4QAAESBlSMAAAAB 0 1338 md5:0e4efefe9572c40afade998e3a24afa8

 

If you are seeing data like this in the index file, then you are still using Serial logging –

 

Or was it the actual audit payload of the audit log like this -

 

--f2516a06-A--

[07/Mar/2007:10:23:36 --0500] xjcud8CoD4QAAESBlSMAAAAB 127.0.0.1 50346 127.0.0.1 80

--f2516a06-B--

POST /Bloan.asp HTTP/1.1

Host: www.bankdemo.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://www.bankdemo.com/Bloanapp.asp

Cookie: ASPSESSIONIDQQCSRARS=GJPFMJACONFJCJNGKGLIOLPN; sessid=

Content-Type: application/x-www-form-urlencoded

Content-Length: 122

 

--f2516a06-C--

FullName=&DOB=&HomeAddress=&HomePhone=&SSN=%60+or+%601%60%3D%601&DLN=&LoanAmount=&LoanDescription=&submit.x=108&submit.y=5

--f2516a06-F--

HTTP/1.1 404 Not Found

Content-Length: 207

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1

 

--f2516a06-H--

Apache-Error: [file "core.c"] [line 3612] [level 3] File does not exist: /usr/local/apache/htdocs/Bloan.asp, referer: http://www.bankdemo.com/Bloanapp.asp

Stopwatch: 1173281016589943 165300 (22480* 161003 -)

Producer: ModSecurity v2.1.0 (Apache 2.x)

Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7f DAV/2

 

--f2516a06-Z--

 

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Frank Misa
Sent: Wednesday, June 27, 2007 12:25 PM
To: mod-security-users@lists.sourceforge.net; Christian Bockermann
Subject: Re: [mod-security-users] Basic help interpreting concurrent log file format

 


Thanks Chris,

I've installed cygwin - so I have the unix grep/awk/sed toolset available;  thanks for the suggestion.
http://www.cygwin.com/

I'd expect the main log file then to be an "index" into the individual log files being accumulated in the subdirectories....

But the index log file headings:
--29000000-A--
...

--be180000-A--
...
etc.etc.


they don't seem to be related to the individual log files in a one:one relationship ?

Thanks for pointing out the 'H' section with "id" value -- right under my nose :(

Cheers
Frank


> From: chris@jwall.org
> Subject: Re: [mod-security-users] Basic help interpreting concurrent log file format
> Date: Wed, 27 Jun 2007 16:48:13 +0200
> To: frankmisa@hotmail.com
>
> The format of audit-logs is completely different in 2.x.
> Each event is divided into sections that have a special meaning.
> Like A for audit-header holding tcp-info for example. A rule that
> fires and has an auditlog-action with it will result in the
> message being printed in the H-section, prefixed with "Message: "
>
> This is where the rule-id will be printed, too (as far as the
> rule defines an id).
>
> On unix you could simply grep for these messages using
>
> find /path/to/audit-log/ -type f -exec grep -H 'Message' {} \;
>
> This will reveal all messages associated with an event. The id
> of a rule will be printed as
>
> Message: ... [ id "123" ]
>
> So you could track this down a little be using
>
> find /path/to/audit-log/ -type f -exec grep -H '[ id "' {} \;
>
> for example. But this is all on unix. Might not be that simple
> on windows.
>
> Regards,
> Chris
>
>
>
> Am 27.06.2007 um 16:34 schrieb Frank Misa:
>
> > Hi All,
> >
> > I hate asking another newbie question -- but I really need to make
> > up lost time...
> > Hope someone can help me... this is so fundamental -- it should be
> > a no brainer for users on this forum.
> >
> > I'd like to parse log files for unique_id of rules being violated
> > -- and then use this information to refine the core rule set being
> > used.
> >
> > I have configured my modsecurity2 instance for concurrent logging:
> > >>SecAuditLogType Concurrent
> > >>SecAuditLog logs/modsec_audit.log
> > >>SecAuditLogStorageDir C:/apache/logs/modSecurity/audit
> > >>SecAuditLogParts "ABCDEFGHZ"
> >
> > The online documentation suggests that each transaction is logged
> > in it's own file -- according to the following format:
> > See: http://www.modsecurity.org/documentation/modsecurity-apache/
> > 1.9.3/html-multipage/07-logging.html:
> > Note: The documentation for v2.1.x does not give much detail on log
> > file format -- just directive meaning and configuration....
> >
> > I've attached a sample log file (with some IPs cleansed to
> > xxx.xxx.xxx.xxx) and screenshots as well -- where are the rule
> > unique_id etc. being logged ? Where is the modsecurity2 concurrent
> > log file format documented ? Assuming I'm not using
> > ModsecurityConsole -- how does one interpret this log information
> > and adjust rule-set accordingly for false positives ?
> >
> > I can't find anything like the following in any of my log files.
> > Has the format changed so much between 1.9.3 -- and the version I'm
> > using 2.1.x ?
> > >> The line begins with a "vcombined" log format, but it then adds
> > the following fields:
> >
> > unique_id
> > session_id (not used at this time)
> > filename
> > offset
> > size
> > hash of the audit log entry (MD5 hash used at this time)
> >
> > Hope to hear from someone soon....
> > Thanks
> > Frank
> >
> > Discover the new Windows Vista Learn more!
> > <logsPic1.jpg>
> > <logsPic2.jpg>
> > <20070619-125912-O4wcMawQAqYAAARIw2MAAAD2.txt>
> > ----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>


Connect to the next generation of MSN Messenger  Get it now!

 


Explore the seven wonders of the world Learn more!

 


Connect to the next generation of MSN Messenger  Get it now!