|
From: Breno S. P. (JIRA) <no...@mo...> - 2011-12-02 12:47:00
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-197.
--------------------------------------
Resolution: Cannot Reproduce
> Logging sometimes misses some info / inconsisten logging
> --------------------------------------------------------
>
> Key: MODSEC-197
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-197
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Affects Versions: 2.5.13
> Environment: All
> Reporter: Marc Stern
> Assignee: Breno Silva Pinto
> Fix For: 2.6.3
>
>
> The same rule does not always logs the same information about the rule.
> Short example, one rule, twice the same request:
> SecRule ARGS:ref "@gt 16" "phase:2,t:none,t:length,msg:'Invalid reference number',proxy:'http://...'"
> Log:
> 1. Operator GT matched 16 at ARGS:referenceNumber. [msg "Invalid reference number"]
> 2. Access denied using proxy to (phase 2) http://localhost/SecError/apps/ref.html. [msg "Invalid reference number"]
> Full log (sanitised):
> --4ae31369-A--
> [12/Jan/2011:15:01:46 +0000] etqrMArAPisAAAc-K8sAAADD 10.192.61.111 15946 10.192.62.43 80
> --4ae31369-B--
> POST /xxxxxx HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
> Referer: http://xxxxxx
> Accept-Language: nl-be
> Content-Type: application/x-www-form-urlencoded
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
> Host: xxxxxx
> Content-Length: 34
> Pragma: no-cache
> Connection: close
> --4ae31369-C--
> ref=123456789012345678
> --4ae31369-F--
> HTTP/1.1 200 OK
> Content-Type: text/html;charset=ISO-8859-1
> Vary: Accept-Encoding,User-Agent
> Content-Encoding: gzip
> Connection: close
> Transfer-Encoding: chunked
> --4ae31369-H--
> Message: Operator GT matched 16 at ARGS:ref. [msg "Invalid reference number"]
> --4ae31369-Z--
> --1e310e07-A--
> [12/Jan/2011:16:02:51 +0100] frwvrArAPisAAAgTEDoAAABA 10.192.61.111 16272 10.192.62.43 80
> --1e310e07-B--
> POST /xxxxxx HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
> Referer: http://xxxxxx
> Accept-Language: nl-be
> Content-Type: application/x-www-form-urlencoded
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
> Host: xxxxxx
> Content-Length: 34
> Pragma: no-cache
> Connection: close
> --1e310e07-C--
> ref=123456789012345678
> --1e310e07-F--
> HTTP/1.1 200 OK
> Accept-Ranges: bytes
> Vary: Accept-Encoding,User-Agent
> Content-Type: text/html
> Content-Encoding: gzip
> Connection: close
> Transfer-Encoding: chunked
> --1e310e07-H--
> Message: Access denied using proxy to (phase 2) http://localhost/SecError/apps/ref.html. [msg "Invalid reference number"]
> Action: Intercepted (phase 2)
> WebApp-Info: "default" "unknown" "-"
> --1e310e07-Z--
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
