[mod-security-users] Why doesn't my mod_security catch / log anything?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I installed mod_security on my Ubuntu GNU/Linux server but when I send
some simple requests to the web server that should match even the
simplest rules, I fail to see any alerts or any log files that were
supposed to exist in /var/log/apache2. What am I missing?

Before proceeding further here's my system details:

$ apache2ctl -t -D DUMP_MODULES | grep secu
Syntax OK
 security2_module (shared)

$ sudo lsof | grep mod_security
apache2   12773        root  mem       REG      202,0   268828
50225 /usr/lib/apache2/modules/mod_security2.so
apache2   15287    www-data  mem       REG      202,0   268828
50225 /usr/lib/apache2/modules/mod_security2.so
apache2   15288    www-data  mem       REG      202,0   268828
50225 /usr/lib/apache2/modules/mod_security2.so
...

I also checked for libxml2 and liblua5.1 and lsof reports that they
are opened by apache2 user.

And here is the relevant part from my /etc/apache2/apache2.conf:

<IfModule mod_security2.c>
          # Basic configuration options
          SecRuleEngine On
          SecRequestBodyAccess On
          SecResponseBodyAccess Off

          # Handling of file uploads
          # TODO Choose a folder private to Apache.
          # SecUploadDir /opt/apache-frontend/tmp/
          SecUploadKeepFiles Off

          # Debug log
          SecDebugLog /var/log/apache2/modsec_debug.log
          SecDebugLogLevel 3

          # Serial audit log
          #SecAuditEngine RelevantOnly
          SecAuditEngine On
          SecAuditLogRelevantStatus ^5
          SecAuditLogParts ABIFHZ
          SecAuditLogType Serial
          SecAuditLog /var/log/apache2/modsec_audit.log

          # Maximum request body size we will
          # accept for buffering
          SecRequestBodyLimit 131072

          # Store up to 128 KB in memory
          SecRequestBodyInMemoryLimit 131072
          # Buffer response bodies of up to # 512 KB in length
          SecResponseBodyLimit 524288

          # Configure default blocking policy
          # see ModSecurity Handbook, p. 175
          #
          #SecDefaultAction "phase:1,log,auditlog,pass"

          Include /etc/apache2/modsecurity-crs_2.0.6/*.conf
          Include /etc/apache2/modsecurity-crs_2.0.6/base_rules/*.conf

          SecFilter "/bin/"
          SecFilter "/cgi-bin" "deny,log,status:500"

          # By default log and deny suspicious requests
          # with HTTP status 500
          SecFilterDefaultAction "deny,log,status:500"
</IfModule>

So I expect that if I try to visit my web site and send a request that
matches one of the filters I declared above using SecFilter or
anything that matches the base rules, etc. then I should see something
in those files:

/var/log/apache2/modsec_debug.log
/var/log/apache2/modsec_audit.log

right?

For example I try to visit my site using the following requests:

http://www.myserver.com/cgi-bin
http://www.myserver.com/index.html?q=/cgi-bin
http://www.myserver.com/bin
http://www.myserver.com/index.html?q=/bin
http://www.myserver.com/index.html?q=/bin/

But I don't see anything in the relevant files, they are still empty:

$ ls -lh /var/log/apache2/modsec_*
-rw-r--r-- 1 www-data www-data 0 2011-03-16 10:31
/var/log/apache2/modsec_audit.log
-rw-r--r-- 1 www-data www-data 0 2011-03-16 10:30
/var/log/apache2/modsec_debug.log

And in the /var/log/apache2/error.log I only see the usual 'File does
not exist' entries, no alerts related to mod_security.

What am I missing?

-- 
Emre Sevinc