Thread: [Mod-security-developers] mlogc-batch-load rex problem in section A
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-developers
|
From: Ebrahim K. <kha...@au...> - 2012-01-02 15:41:44
|
Hi,
Due to some problems about piping mlogc with apache, i decided to use mlogc-batch-load.pl on crontab. I installed modsecurity-apache_2.6.2 and it works correctly and generates audit log files like this:
--3f82651b-A--
[01/Jan/2012:15:11:28 +031800] 8lbP5n8AAAIAABL0J7gAAAAD 172.20.125.77 22409 172.20.125.126 80
--3f82651b-B--
GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
Then i ran mlogc-batch-load.pl which It couldn't send audit logs to AuditConsole and it generated some error like this:
[Mon Jan 02 17:41:33 2012] [2] [28961/80d4e50] Invalid entry (failed to match regex): waf - - - - \"GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1\" 500 602 \"-\" \"-\" - \"-\" /20120102/20120102-1714/20120102-171401-xm8Xqn8AAAIAAG9lIs8AAAAD 0 1653 md5:e7fe62f1bf231a6993e5623a7b872b61
I installed modsecurity-apache_2.6.3 and it generated audit log files like this:
--cc123a05-A--
[02/Jan/2012:17:14:01 +0330] xm8Xqn8AAAIAAG9lIs8AAAAD 172.20.125.77 36872 172.20.125.126 80
--cc123a05-B--
GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
i ran mlogc-batch-load.pl and same error was generated.
I found out mlogc-bach-load.pl couldn't parse these audit log correctly and fortunately I could find the line that has this problem which is :
if ($sect eq 'A') {
if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {
The regular expression for matching with my audit logs is not correct. my audit logs has time field like [01/Jan/2012:15:11:28 +031800] for 2.6.2v and [02/Jan/2012:17:14:01 +0330] for 2.6.3v which non of them can match with \[[-\d/: a-zA-Z]{27}\]. I changed above line with below and audit logs be sent correctly:
if ($sect eq 'A') {
#if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {
if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+) (\d+) (\S+) (\d+)%) {
Is it a bug in mlog-batch-load.pl file or a problem in my system date/time?!
Best Regards,
khalilzadeh
--
--
|
|
From: Breno S. <bre...@gm...> - 2012-01-02 15:57:38
|
Hi Ebrahim,
Thanks for your feedback. There was a problem in modsecurity timestamp math
and i was changed in 2.6.3.
Any chance you send me a patch ?
Thanks
Breno
On Mon, Jan 2, 2012 at 9:41 AM, Ebrahim Khalilzadeh
<kha...@au...>wrote:
>
> Hi,
> Due to some problems about piping mlogc with apache, i decided to use
> mlogc-batch-load.pl on crontab. I installed modsecurity-apache_2.6.2 and
> it works correctly and generates audit log files like this:
>
> --3f82651b-A--
> [01/Jan/2012:15:11:28 +031800] 8lbP5n8AAAIAABL0J7gAAAAD 172.20.125.77
> 22409 172.20.125.126 80
> --3f82651b-B--
> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
>
> Then i ran mlogc-batch-load.pl which It couldn't send audit logs to
> AuditConsole and it generated some error like this:
>
> [Mon Jan 02 17:41:33 2012] [2] [28961/80d4e50] Invalid entry (failed to
> match regex): waf - - - - \"GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1\"
> 500 602 \"-\" \"-\" - \"-\"
> /20120102/20120102-1714/20120102-171401-xm8Xqn8AAAIAAG9lIs8AAAAD 0 1653
> md5:e7fe62f1bf231a6993e5623a7b872b61
>
> I installed modsecurity-apache_2.6.3 and it generated audit log files
> like this:
>
> --cc123a05-A--
> [02/Jan/2012:17:14:01 +0330] xm8Xqn8AAAIAAG9lIs8AAAAD 172.20.125.77 36872
> 172.20.125.126 80
> --cc123a05-B--
> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
>
> i ran mlogc-batch-load.pl and same error was generated.
>
> I found out mlogc-bach-load.pl couldn't parse these audit log correctly
> and fortunately I could find the line that has this problem which is :
>
> if ($sect eq 'A') {
> if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+)
> (\S+) (\d+)%) {
>
> The regular expression for matching with my audit logs is not correct. my
> audit logs has time field like [01/Jan/2012:15:11:28 +031800] for 2.6.2v
> and [02/Jan/2012:17:14:01 +0330] for 2.6.3v which non of them can match
> with \[[-\d/: a-zA-Z]{27}\]. I changed above line with below and audit
> logs be sent correctly:
>
> if ($sect eq 'A') {
> #if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+)
> (\S+) (\d+)%) {
> if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+)
> (\d+) (\S+) (\d+)%) {
>
> Is it a bug in mlog-batch-load.pl file or a problem in my system
> date/time?!
>
> Best Regards,
> khalilzadeh
>
>
>
>
> --
>
>
> --
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|
|
From: Breno S. <bre...@gm...> - 2012-01-02 16:22:42
|
Created MODSEC-282
On Mon, Jan 2, 2012 at 9:57 AM, Breno Silva <bre...@gm...> wrote:
> Hi Ebrahim,
>
> Thanks for your feedback. There was a problem in modsecurity timestamp
> math and i was changed in 2.6.3.
>
> Any chance you send me a patch ?
>
> Thanks
>
> Breno
>
> On Mon, Jan 2, 2012 at 9:41 AM, Ebrahim Khalilzadeh <kha...@au...
> > wrote:
>
>>
>> Hi,
>> Due to some problems about piping mlogc with apache, i decided to use
>> mlogc-batch-load.pl on crontab. I installed modsecurity-apache_2.6.2 and
>> it works correctly and generates audit log files like this:
>>
>> --3f82651b-A--
>> [01/Jan/2012:15:11:28 +031800] 8lbP5n8AAAIAABL0J7gAAAAD 172.20.125.77
>> 22409 172.20.125.126 80
>> --3f82651b-B--
>> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
>>
>> Then i ran mlogc-batch-load.pl which It couldn't send audit logs to
>> AuditConsole and it generated some error like this:
>>
>> [Mon Jan 02 17:41:33 2012] [2] [28961/80d4e50] Invalid entry (failed to
>> match regex): waf - - - - \"GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1\"
>> 500 602 \"-\" \"-\" - \"-\"
>> /20120102/20120102-1714/20120102-171401-xm8Xqn8AAAIAAG9lIs8AAAAD 0 1653
>> md5:e7fe62f1bf231a6993e5623a7b872b61
>>
>> I installed modsecurity-apache_2.6.3 and it generated audit log files
>> like this:
>>
>> --cc123a05-A--
>> [02/Jan/2012:17:14:01 +0330] xm8Xqn8AAAIAAG9lIs8AAAAD 172.20.125.77 36872
>> 172.20.125.126 80
>> --cc123a05-B--
>> GET /%3Cscript%3Etest%3C/script%3E HTTP/1.1
>>
>> i ran mlogc-batch-load.pl and same error was generated.
>>
>> I found out mlogc-bach-load.pl couldn't parse these audit log correctly
>> and fortunately I could find the line that has this problem which is :
>>
>> if ($sect eq 'A') {
>> if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+)
>> (\S+) (\d+)%) {
>>
>> The regular expression for matching with my audit logs is not correct. my
>> audit logs has time field like [01/Jan/2012:15:11:28 +031800] for
>> 2.6.2v and [02/Jan/2012:17:14:01 +0330] for 2.6.3v which non of them
>> can match with \[[-\d/: a-zA-Z]{27}\]. I changed above line with below
>> and audit logs be sent correctly:
>>
>> if ($sect eq 'A') {
>> #if ($line =~ m%^(\[[-\d/: a-zA-Z]{27}\]) (\S+) (\S+) (\d+)
>> (\S+) (\d+)%) {
>> if ($line =~ m%^(\[[^:]+:\d+:\d+:\d+ [^\]]+\]) (\S+) (\S+)
>> (\d+) (\S+) (\d+)%) {
>>
>> Is it a bug in mlog-batch-load.pl file or a problem in my system
>> date/time?!
>>
>> Best Regards,
>> khalilzadeh
>>
>>
>>
>>
>> --
>>
>>
>> --
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
|
Thanks for helping keep SourceForge clean.
X