[mod-security-users] How to log transformed REQUEST_URI/REQUEST_URI_RAW?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] How to log transformed REQUEST_URI/REQUEST_URI_RAW?
|
From: Web C. <we...@we...> - 2021-10-23 11:57:01
|
Hello together :)
How can I find the reason why the rule below was triggered? It looks like
the audit log does not provide enough information in this case either.
%{REQUEST_URI} gives me: /yyyyy.php?site=http://blubb
%{REQUEST_URI_RAW} gives me: /yyyyy.php?site=http://blubb
I think the transformed REQUEST_URI might be something like
"/yyyyy.php?site=http:/blubb" without the double slash. I want to be sure
why the rule was triggered and I want to see it black on white for
certainty. How would you do it?
ModSecurity version: 2.9.4
Apache Version: 2.4.48
Rule / in httpd.conf
------------------
# Make sure there are no URI evasion attempts
SecRule REQUEST_URI "!@streq %{REQUEST_URI_RAW}" \
"id:11000,phase:1,deny,t:normalizePathWin,log,\
msg:'URI evasion attempt REQUEST_URI: %{REQUEST_URI} REQUEST_URI_RAW:
%{REQUEST_URI_RAW}'"
error.log
------------------
[yyyy-mm-dd hh:mm:ss.mmmmmm] [-:error] 127.0.0.1:35220
zzzzzzz__zzzzzzzzzzzzzzzzzz [client 127.0.0.1] ModSecurity: Access denied
with code 403 (phase 1). Match of "streq %{REQUEST_URI_RAW}" against
"REQUEST_URI" required. [file "/opt/apache-2.4.48/conf/httpd.conf"] [line
"200"] [id "11000"] [msg "URI evasion attempt REQUEST_URI: /yyyyy.php?site=
http://blubb REQUEST_URI_RAW: /yyyyy.php?site=http://blubb"] [tag
"domain.tld Public"] [hostname "domain.tld"] [uri "/yyyyy.php"] [unique_id
"zzzzzzz__zzzzzzzzzzzzzzzzzz"]
Regards,
Webco
|
