Re: [mod-security-users] Basic help interpreting concurrent log file format
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-06-27 16:54:02
|
The attached log file is in the Serial format. Verify your SecAuditLogType directive to ensure that it is set to Concurrent. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: Frank Misa [mailto:fra...@ho...]=20 Sent: Wednesday, June 27, 2007 12:52 PM To: Ryan Barnett; mod...@li...; Christian Bockermann Subject: RE: [mod-security-users] Basic help interpreting concurrent log file format =20 Hi Ryan, Looks like audit payload info. ? but that's all I see.... Attached is a snippet from my index file..... (the rest of the log is similar) does it look right to you ? From: modsec_audit.log See attached text file... Thanks Frank ________________________________ Subject: RE: [mod-security-users] Basic help interpreting concurrent log file format Date: Wed, 27 Jun 2007 12:43:38 -0400 From: Ryan.Barnett@Breach.com To: fra...@ho...; mod...@li...; ch...@jw... When you switch to Concurrent logging, the index file should only contain meta-data pointers to the actual log files. The entries should look similar to this - =20 www.bankdemo.com 127.0.0.1 - - [07/Mar/2007:10:23:36 --0500] "POST /Bloan.asp HTTP/1.1" 404 207 "-" "-" xjcud8CoD4QAAESBlSMAAAAB "-" /20070307/20070307-1023/20070307-102336-xjcud8CoD4QAAESBlSMAAAAB 0 1338 md5:0e4efefe9572c40afade998e3a24afa8 =20 If you are seeing data like this in the index file, then you are still using Serial logging - =20 Or was it the actual audit payload of the audit log like this - =20 --f2516a06-A-- [07/Mar/2007:10:23:36 --0500] xjcud8CoD4QAAESBlSMAAAAB 127.0.0.1 50346 127.0.0.1 80 --f2516a06-B-- POST /Bloan.asp HTTP/1.1 Host: www.bankdemo.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/pla= i n;q=3D0.8,image/png,*/*;q=3D0.5 Accept-Language: en-us,en;q=3D0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=3D0.7,*;q=3D0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.bankdemo.com/Bloanapp.asp Cookie: ASPSESSIONIDQQCSRARS=3DGJPFMJACONFJCJNGKGLIOLPN; sessid=3D Content-Type: application/x-www-form-urlencoded Content-Length: 122 =20 --f2516a06-C-- FullName=3D&DOB=3D&HomeAddress=3D&HomePhone=3D&SSN=3D%60+or+%601%60%3D%60= 1&DLN=3D&Lo anAmount=3D&LoanDescription=3D&submit.x=3D108&submit.y=3D5 --f2516a06-F-- HTTP/1.1 404 Not Found Content-Length: 207 Keep-Alive: timeout=3D5, max=3D100 Connection: Keep-Alive Content-Type: text/html; charset=3Diso-8859-1 =20 --f2516a06-H-- Apache-Error: [file "core.c"] [line 3612] [level 3] File does not exist: /usr/local/apache/htdocs/Bloan.asp, referer: http://www.bankdemo.com/Bloanapp.asp Stopwatch: 1173281016589943 165300 (22480* 161003 -) Producer: ModSecurity v2.1.0 (Apache 2.x) Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7f DAV/2 =20 --f2516a06-Z-- =20 =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Frank Misa Sent: Wednesday, June 27, 2007 12:25 PM To: mod...@li...; Christian Bockermann Subject: Re: [mod-security-users] Basic help interpreting concurrent log file format =20 Thanks Chris, I've installed cygwin - so I have the unix grep/awk/sed toolset available; thanks for the suggestion. http://www.cygwin.com/ I'd expect the main log file then to be an "index" into the individual log files being accumulated in the subdirectories.... But the index log file headings: --29000000-A-- ... --be180000-A-- ... etc.etc. they don't seem to be related to the individual log files in a one:one relationship ? Thanks for pointing out the 'H' section with "id" value -- right under my nose :( Cheers Frank ________________________________ > From: ch...@jw... > Subject: Re: [mod-security-users] Basic help interpreting concurrent log file format > Date: Wed, 27 Jun 2007 16:48:13 +0200 > To: fra...@ho... >=20 > The format of audit-logs is completely different in 2.x. > Each event is divided into sections that have a special meaning. > Like A for audit-header holding tcp-info for example. A rule that > fires and has an auditlog-action with it will result in the > message being printed in the H-section, prefixed with "Message: " >=20 > This is where the rule-id will be printed, too (as far as the > rule defines an id). >=20 > On unix you could simply grep for these messages using >=20 > find /path/to/audit-log/ -type f -exec grep -H 'Message' {} \; >=20 > This will reveal all messages associated with an event. The id > of a rule will be printed as >=20 > Message: ... [ id "123" ] >=20 > So you could track this down a little be using >=20 > find /path/to/audit-log/ -type f -exec grep -H '[ id "' {} \; >=20 > for example. But this is all on unix. Might not be that simple > on windows. >=20 > Regards, > Chris >=20 >=20 >=20 > Am 27.06.2007 um 16:34 schrieb Frank Misa: >=20 > > Hi All, > > > > I hate asking another newbie question -- but I really need to make=20 > > up lost time... > > Hope someone can help me... this is so fundamental -- it should be=20 > > a no brainer for users on this forum. > > > > I'd like to parse log files for unique_id of rules being violated=20 > > -- and then use this information to refine the core rule set being=20 > > used. > > > > I have configured my modsecurity2 instance for concurrent logging: > > >>SecAuditLogType Concurrent > > >>SecAuditLog logs/modsec_audit.log > > >>SecAuditLogStorageDir C:/apache/logs/modSecurity/audit > > >>SecAuditLogParts "ABCDEFGHZ" > > > > The online documentation suggests that each transaction is logged=20 > > in it's own file -- according to the following format: > > See: http://www.modsecurity.org/documentation/modsecurity-apache/=20 > > 1.9.3/html-multipage/07-logging.html: > > Note: The documentation for v2.1.x does not give much detail on log=20 > > file format -- just directive meaning and configuration.... > > > > I've attached a sample log file (with some IPs cleansed to=20 > > xxx.xxx.xxx.xxx) and screenshots as well -- where are the rule=20 > > unique_id etc. being logged ? Where is the modsecurity2 concurrent=20 > > log file format documented ? Assuming I'm not using=20 > > ModsecurityConsole -- how does one interpret this log information=20 > > and adjust rule-set accordingly for false positives ? > > > > I can't find anything like the following in any of my log files. > > Has the format changed so much between 1.9.3 -- and the version I'm=20 > > using 2.1.x ? > > >> The line begins with a "vcombined" log format, but it then adds=20 > > the following fields: > > > > unique_id > > session_id (not used at this time) > > filename > > offset > > size > > hash of the audit log entry (MD5 hash used at this time) > > > > Hope to hear from someone soon.... > > Thanks > > Frank > > > > Discover the new Windows Vista Learn more! > > <logsPic1.jpg> > > <logsPic2.jpg> > > <20070619-125912-O4wcMawQAqYAAARIw2MAAAD2.txt> > > ----------------------------------------------------------------------=20 > > --- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/=20 > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >=20 ________________________________ Connect to the next generation of MSN Messenger Get it now! <http://imagine-msn.com/messenger/launch80/default.aspx?locale=3Den-us&so= u rce=3Dwlmailtagline>=20 =20 ________________________________ Explore the seven wonders of the world Learn more! <http://search.msn.com/results.aspx?q=3D7+wonders+world&mkt=3Den-US&form=3D= QBR E>=20 |