On 4/26/06, Ivan Ristic <ivan.ristic@gmail.com> wrote:
>
> I increased the dubug level to 9 and there were no error messages, just it's
> normal stuff.

There should be a line that begins with "sec_exec_child: First line
from script output". Can you find it? What does it say?

> Ultimately the script will do much more than send an email, but I figure
> that's a good place to start.

I am not sure that is such a good idea. What will happen when you get
100 attacks per second? Even if you build a throttling mechanism your
box is going to have difficulties starting 100 binaries per second. :)

A safer approach is to observe the audit log entries from a single process.

Here are the results from the debug log if the level is set to 9.

[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][2] Detection phase starting (request 8288628): "GET /index.php?act=rssout&amp;id=1&/bin/davetest HTTP/1.1"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][4] Normalised REQUEST_URI: "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "GET /index.php?act=rssout&amp;id=1&/bin/davetest HTTP/1.1"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"
[26/Apr/2006:13:09:05 -0400] [xx.xx.com/sid#8234520][rid#8288628][/index.php][9] Checking against "/index.php?act=rssout&amp;id=1&/bin/davetest"


If I "grep "sec_exec_child" modsec_debug_log" there are no results.

My reasoning is that we were recently broken into and after going back over all the logs it became very clear that if we just had something running to block the offenders based on mod security's filters we would probably not have been hacked.

What would you suggest using instead to monitor the logs?