Re: [mod-security-users] Logging request body of denied request?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi, what is your SecAuditLogParts configuration?

Cheers!

Sent from my iPhone

> On Oct 10, 2020, at 11:15 PM, Jasper Wallace <ja...@po...> wrote:
> 
> 
> Hi,
> 
> I'm using apache 2.4.10 (from Debian) and mod_security 2.8.0-3.
> 
> I've got someone POST'ing annoying things to a particular URI, luckily 
> with a consistent user-agent, I've blocked them with (inside 
> <VirtualHost/>):
> 
> SetEnvIfNoCase User-Agent "^badua/" bad_bot
> 
> <Directory "/usr/lib/cgi-bin/thing/">
>    Options FollowSymLinks
>    AllowOverride None
>    Order allow,deny  
>    Allow from all
>    Deny from env=bad_bot
> </Directory>
> 
> I'd like to see what it is they are POST'ing andI'm trying to config 
> mod_security to grab them.
> 
> Then in the mod_security config I've got:
> 
> SecRequestBodyAccess On 
> SecDefaultAction "nolog,noauditlog,allow,phase:2"
> 
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> 
> # Log everything we know about a transaction.
> SecAuditLogParts ABIJDFHKZ
> SecAuditLogType Serial
> SecAuditLog /var/log/apache2/modsec_audit.log
> 
> SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,nolog,auditlog,id:123,msg:'POST request log'"
> SecRule REQUEST_URI "^/path/.*" "ctl:auditEngine=On,nolog,auditlog"
> 
> 
> But That dosen't log the request body, and only logs cos the deny triggers 
> a response with a 403 result code which hits the 
> SecAuditLogRelevantStatus.
> 
> The rules only work for 200 ok responses.
> 
> Looking at the debug logs I can see that the blocked requests don't get a
> "phase REQUEST_BODY", So I guess apache rejects the request before it 
> reads the request body.
> 
> I guess to fix this I have to remove the Deny rule in the apache config 
> and do the matching on the user-agent in the mod_security rules?
> 
> With something like:
> 
> SecRule REQUEST_METHOD "^POST$" "chain,deny,status:403,phase:2,log,auditlog,id:123,msg:'POST request log'"
> SecRule REQUEST_URI "^/path/.*" "chain,id:124,ctl:auditEngine=On,nolog,auditlog"
> SecRule REQUEST_HEADERS:User-Agent "^badua/" "id:125,ctl:auditEngine=On,nolog,auditlog"
> 
> (I'm not clear on where the deny, auditlog and / or ctl:auditEngine=On go)
> 
> Is that the best way to handle it?
> 
> How does blocking things in the request body phase work with cgi's - Is 
> the script already running at that point?
> 
> -- 
> [http://pointless.net/]                          [0x416333590FC0E569]
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/