Hi Ebrahim,

Thanks for your feedback. There was a problem in modsecurity timestamp math and i was changed in 2.6.3.

Any chance you send me a patch ?

Thanks

Breno

On Mon, Jan 2, 2012 at 9:41 AM, Ebrahim Khalilzadeh <khalilzadeh@aut.ac.ir> wrote:

Hi,
Due to some problems about piping mlogc with apache, i decided to use mlogc-batch-load.pl on crontab. I installed modsecurity-apache_2.6.2 and it works correctly and generates audit log files like this:

--3f82651b-A--
[01/Jan/2012:15:11:28 +031800] 8lbP5n8AAAIAABL0J7gAAAAD 172.20.125.77 22409 172.20.125.126 80
--3f82651b-B--
GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1

Then i ran mlogc-batch-load.pl which It couldn't send audit logs to AuditConsole and it generated some error like this:

[Mon Jan 02 17:41:33 2012] [2] [28961/80d4e50] Invalid entry (failed to match regex): waf - - - - \"GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1\" 500 602 \"-\" \"-\" - \"-\" /20120102/20120102-1714/20120102-171401-xm8Xqn8AAAIAAG9lIs8AAAAD 0 1653 md5:e7fe62f1bf231a6993e5623a7b872b61

I installed
modsecurity-apache_2.6.3 and it generated audit log files like this:

--cc123a05-A--
[02/Jan/2012:17:14:01 +0330] xm8Xqn8AAAIAAG9lIs8AAAAD 172.20.125.77 36872 172.20.125.126 80
--cc123a05-B--
GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1

i ran mlogc-batch-load.pl and same error was generated.

I found out mlogc-bach-load.pl couldn't parse these audit log correctly and fortunately I could find the line that has this problem which is :

if ($sect eq 'A') {
            if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {

The regular expression for matching with my audit logs is not correct. my audit logs has time field like
[01/Jan/2012:15:11:28 +031800]  for 2.6.2v and [02/Jan/2012:17:14:01 +0330] for 2.6.3v  which non of them can match with \[[-\d/: a-zA-Z]{27}\].  I changed above line with below and audit logs be sent correctly:

if ($sect eq 'A') {
            #if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {
            if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {

Is it a bug in mlog-batch-load.pl file or a problem in my system date/time?!

Best Regards,
khalilzadeh
       



--


--


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php