Re: [mod-security-users] How to log transformed REQUEST_URI/REQUEST_URI_RAW?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to log transformed REQUEST_URI/REQUEST_URI_RAW?
|
From: <az...@po...> - 2021-10-23 14:58:07
|
Hi
try enabling debug log in ModSecurity.
Citát Web Coach <we...@we...>:
> Hello together :)
>
> How can I find the reason why the rule below was triggered? It looks like
> the audit log does not provide enough information in this case either.
>
> %{REQUEST_URI} gives me: /yyyyy.php?site=http://blubb
> %{REQUEST_URI_RAW} gives me: /yyyyy.php?site=http://blubb
>
> I think the transformed REQUEST_URI might be something like
> "/yyyyy.php?site=http:/blubb" without the double slash. I want to be sure
> why the rule was triggered and I want to see it black on white for
> certainty. How would you do it?
>
> ModSecurity version: 2.9.4
> Apache Version: 2.4.48
>
> Rule / in httpd.conf
> ------------------
> # Make sure there are no URI evasion attempts
> SecRule REQUEST_URI "!@streq %{REQUEST_URI_RAW}" \
> "id:11000,phase:1,deny,t:normalizePathWin,log,\
> msg:'URI evasion attempt REQUEST_URI: %{REQUEST_URI} REQUEST_URI_RAW:
> %{REQUEST_URI_RAW}'"
>
> error.log
> ------------------
> [yyyy-mm-dd hh:mm:ss.mmmmmm] [-:error] 127.0.0.1:35220
> zzzzzzz__zzzzzzzzzzzzzzzzzz [client 127.0.0.1] ModSecurity: Access denied
> with code 403 (phase 1). Match of "streq %{REQUEST_URI_RAW}" against
> "REQUEST_URI" required. [file "/opt/apache-2.4.48/conf/httpd.conf"] [line
> "200"] [id "11000"] [msg "URI evasion attempt REQUEST_URI: /yyyyy.php?site=
> http://blubb REQUEST_URI_RAW: /yyyyy.php?site=http://blubb"] [tag
> "domain.tld Public"] [hostname "domain.tld"] [uri "/yyyyy.php"] [unique_id
> "zzzzzzz__zzzzzzzzzzzzzzzzzz"]
>
> Regards,
> Webco
|
