[mod-security-users] Logging request body of denied request?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I'm using apache 2.4.10 (from Debian) and mod_security 2.8.0-3.

I've got someone POST'ing annoying things to a particular URI, luckily 
with a consistent user-agent, I've blocked them with (inside 
<VirtualHost/>):

SetEnvIfNoCase User-Agent "^badua/" bad_bot

<Directory "/usr/lib/cgi-bin/thing/">
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny  
    Allow from all
    Deny from env=bad_bot
</Directory>

I'd like to see what it is they are POST'ing andI'm trying to config 
mod_security to grab them.

Then in the mod_security config I've got:

SecRequestBodyAccess On 
SecDefaultAction "nolog,noauditlog,allow,phase:2"

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDFHKZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,nolog,auditlog,id:123,msg:'POST request log'"
SecRule REQUEST_URI "^/path/.*" "ctl:auditEngine=On,nolog,auditlog"

But That dosen't log the request body, and only logs cos the deny triggers 
a response with a 403 result code which hits the 
SecAuditLogRelevantStatus.

The rules only work for 200 ok responses.

Looking at the debug logs I can see that the blocked requests don't get a 
"phase REQUEST_BODY", So I guess apache rejects the request before it 
reads the request body.

I guess to fix this I have to remove the Deny rule in the apache config 
and do the matching on the user-agent in the mod_security rules?

With something like:

SecRule REQUEST_METHOD "^POST$" "chain,deny,status:403,phase:2,log,auditlog,id:123,msg:'POST request log'"
SecRule REQUEST_URI "^/path/.*" "chain,id:124,ctl:auditEngine=On,nolog,auditlog"
SecRule REQUEST_HEADERS:User-Agent "^badua/" "id:125,ctl:auditEngine=On,nolog,auditlog"

(I'm not clear on where the deny, auditlog and / or ctl:auditEngine=On go)

Is that the best way to handle it?

How does blocking things in the request body phase work with cgi's - Is 
the script already running at that point?

-- 
[http://pointless.net/]                          [0x416333590FC0E569]