Re: [mod-security-users] Modesecurity Audit log trailer without messages.
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Modesecurity Audit log trailer without messages.
|
From: Chaim S. <CSa...@tr...> - 2015-03-27 14:08:09
|
Morris, You might have already considered this but just to be sure can you send us in your configuration where you declare SecAuditLogParts. It is this directive (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secauditlogparts) that typically controls which parts are included in the audit log. Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com -----Original Message----- From: Morris Taylor [mailto:mo...@em...] Sent: Thursday, March 26, 2015 5:12 AM To: mod...@li... Subject: [mod-security-users] Modesecurity Audit log trailer without messages. Dear All, I am running mod security within NGINX, and I found this issue today. That is, I find some log in audit log are showing with any "Messages" in Audit Part H. It looks weird that I can not find the reason of blocking this request. (Apparently we can see the Referer section in the request header is malicious). Can anyone tell me why the reason is not included in part H of the audit log? Following is one of the detail information about the request in my audit log(Sorry for masking the client ip address and the Host in request header): --adaae268-A-- [26/Mar/2015:16:30:26 +0800] zSAcAOAcAcAcRcAcLcAaecAr 223.xxx.xx.xx 25749 127.0.0.1 80 --adaae268-B-- GET /fonts/ HTTP/1.1 Referer: file:///etc/passwd User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: http://scanmail.trustwave.com/?c=4062&d=vM6T1TxMmjyURGl3n4Y5rKEzLgwUreAJQie6PJRnRQ&s=5&u=http%3a%2f%2fsome%2edomain%2ecom Connection: Keep-alive Accept-Encoding: gzip,deflate Accept: */* --adaae268-F-- HTTP/1.1 Cache-Control: private, must-revalidate pragma: no-cache expires: -1 Content-Type: text/plain; charset=UTF-8 Connection: keep-alive --adaae268-H-- Apache-Handler: IIS Stopwatch: 1427358625000958 1126873 (- - -) Stopwatch2: 1427358625000958 1126873; combined=8995, p1=282, p2=8580, p3=4, p4=90, p5=37, sr=82, sw=2, l=0, gc=0 Producer: ModSecurity for nginx (STABLE)/2.9.0 (http://scanmail.trustwave.com/?c=4062&d=vM6T1TxMmjyURGl3n4Y5rKEzLgwUreAJQi26bJc9Fw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f%29%3b OWASP_CRS/2.2.9. Server: ModSecurity Standalone Engine-Mode: "DETECTION_ONLY" -- BR, Morris ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://scanmail.trustwave.com/?c=4062&d=vM6T1TxMmjyURGl3n4Y5rKEzLgwUreAJQiy6OZE9Ew&s=5&u=http%3a%2f%2fgoparallel%2esourceforge%2enet%2f _______________________________________________ mod-security-users mailing list mod...@li... http://scanmail.trustwave.com/?c=4062&d=vM6T1TxMmjyURGl3n4Y5rKEzLgwUreAJQnC4b8VhQQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://scanmail.trustwave.com/?c=4062&d=vM6T1TxMmjyURGl3n4Y5rKEzLgwUreAJQiLqO5w1RQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f http://scanmail.trustwave.com/?c=4062&d=vM6T1TxMmjyURGl3n4Y5rKEzLgwUreAJQiPuaZBhEA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
