[Mod-security-developers] [JIRA] Resolved: (MODSEC-313) mlogc skips all entries

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

     [ https://www.modsecurity.org/tracker/browse/MODSEC-313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-313.
--------------------------------------

    Resolution: Not a Bug

Good to know how it was fixed.

Thanks to report.

> mlogc skips all entries
> -----------------------
>
>                 Key: MODSEC-313
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-313
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Mlogc
>    Affects Versions: 2.6.1, 2.6.5
>         Environment: Linux (Centos 5.6)
>            Reporter: Dennis Moers
>            Assignee: Breno Silva Pinto
>
> I am trying to use mlogc to log attacks in the jwall AuditConsole. But each request which is recogniced by mod_security causes an error in mlogc.
> Examples:
> [Tue May 29 09:19:04 2012] [2] [14118/8971980] Invalid entry (failed to match regex): [modsecurity] [client x.x.x.x] [domain y.y.y.y] [403] [/20120529/20120529-0919/20120529-091904-T8R4aH8AAAEAADcnCDUAAAAA]  [file \"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf\"] [line \"221\"] [id \"958700\"] [rev \"2.2.2\"] [msg \"Remote File Access Attempt\"] [data \"/etc/\"] [severity \"CRITICAL\"] [tag \"WEB_ATTACK/FILE_INJECTION\"] [tag \"WASCTC/WASC-33\"] [tag \"OWASP_TOP_10/A4\"] [tag \"PCI/6.5.4\"] Access denied with code 403 (phase 2). Pattern match \"\\\\/etc\\\\/\" at ARGS:s.
> [Tue May 29 09:56:55 2012] [2] [14237/a091990] Invalid entry (failed to match regex): [modsecurity] [client x.x.x.x] [domain y.y.y.y] [403] [/20120529/20120529-0956/20120529-095655-T8SBR38AAAEAADerCAwAAAAA]  [file \"/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf\"] [line \"47\"] [id \"960015\"] [rev \"2.2.2\"] [msg \"Request Missing an Accept Header\"] [severity \"CRITICAL\"] [tag \"PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT\"] [tag \"WASCTC/WASC-21\"] [tag \"OWASP_TOP_10/A7\"] [tag \"PCI/6.5.10\"] Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS.
> I am running mod_security 2.6.1 and tried mlogc 2.6.1 and 2.6.5. Both of them showed the same error.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira