Re: [Mod-security-developers] mlogc-batch-load rex problem in section A

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Created MODSEC-282

On Mon, Jan 2, 2012 at 9:57 AM, Breno Silva <bre...@gm...> wrote:

> Hi Ebrahim,
>
> Thanks for your feedback. There was a problem in modsecurity timestamp
> math and i was changed in 2.6.3.
>
> Any chance you send me a patch ?
>
> Thanks
>
> Breno
>
> On Mon, Jan 2, 2012 at 9:41 AM, Ebrahim Khalilzadeh <kha...@au...
> > wrote:
>
>>
>> Hi,
>> Due to some problems about piping mlogc with apache, i decided to use
>> mlogc-batch-load.pl on crontab. I installed modsecurity-apache_2.6.2 and
>> it works correctly and generates audit log files like this:
>>
>> --3f82651b-A--
>> [01/Jan/2012:15:11:28 +031800] 8lbP5n8AAAIAABL0J7gAAAAD 172.20.125.77
>> 22409 172.20.125.126 80
>> --3f82651b-B--
>> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
>>
>> Then i ran mlogc-batch-load.pl which It couldn't send audit logs to
>> AuditConsole and it generated some error like this:
>>
>> [Mon Jan 02 17:41:33 2012] [2] [28961/80d4e50] Invalid entry (failed to
>> match regex): waf - - - - \"GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1\"
>> 500 602 \"-\" \"-\" - \"-\"
>> /20120102/20120102-1714/20120102-171401-xm8Xqn8AAAIAAG9lIs8AAAAD 0 1653
>> md5:e7fe62f1bf231a6993e5623a7b872b61
>>
>> I installed modsecurity-apache_2.6.3 and it generated audit log files
>> like this:
>>
>> --cc123a05-A--
>> [02/Jan/2012:17:14:01 +0330] xm8Xqn8AAAIAAG9lIs8AAAAD 172.20.125.77 36872
>> 172.20.125.126 80
>> --cc123a05-B--
>> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
>>
>> i ran mlogc-batch-load.pl and same error was generated.
>>
>> I found out mlogc-bach-load.pl couldn't parse these audit log correctly
>> and fortunately I could find the line that has this problem which is :
>>
>> if ($sect eq 'A') {
>>             if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+)
>> (\S+) (\d+)%) {
>>
>> The regular expression for matching with my audit logs is not correct. my
>> audit logs has time field like [01/Jan/2012:15:11:28 +031800]  for
>> 2.6.2v and [02/Jan/2012:17:14:01 +0330] for 2.6.3v  which non of them
>> can match with \[[-\d/: a-zA-Z]{27}\].  I changed above line with below
>> and audit logs be sent correctly:
>>
>> if ($sect eq 'A') {
>>             #if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+)
>> (\S+) (\d+)%) {
>>             if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+)
>> (\d+) (\S+) (\d+)%) {
>>
>> Is it a bug in mlog-batch-load.pl file or a problem in my system
>> date/time?!
>>
>> Best Regards,
>> khalilzadeh
>>
>>
>>
>>
>> --
>>
>>
>> --
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>