Thread: [mod-security-users] Strange Logs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Christian M. <cma...@is...> - 2005-06-28 15:35:25
|
Hi i was trying some logs for the modsecurity Console, and i found these=20 entries (generated by Nikto): Why there is not Modsecurity_message? Why there is no Action? Why sometimes the Handler is proxy-server, and others null? Any ideas? Btw im using a modsecurity 1.9 Dev2. + mod_proxy. Thanks in advance Christian =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 10.10.0.XXX - - [28/Jun/2005:17:11:31 +0200] "GET=20 /..\\..\\..\\..\\..\\..\\temp\\temp.class HTTP/1.0" 403 32 Handler: proxy-server ---------------------------------------- GET /..\\..\\..\\..\\..\\..\\temp\\temp.class HTTP/1.0 Content-Length: 0 User-Agent: Mozilla/4.75 (Nikto/1.34 ) Host: www.myhost.com Max-Forwards: 10 X-Forwarded-For: 10.10.0.XXX X-Forwarded-Host: www.myhost.com X-Forwarded-Server: www.myhost.com 0 HTTP/1.0 403 Forbidden Content-Type: text/html; charset=3DUTF-8 Content-Length: 32 Connection: close =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 10.10.0.xxx - - [28/Jun/2005:17:11:30 +0200] "GET=20 /../webserver.ini HTTP/1.0" 400 302 Handler: (null) ---------------------------------------- GET /../webserver.ini HTTP/1.0 Connection: Keep-Alive Content-Length: 0 User-Agent: Mozilla/4.75 (Nikto/1.34 ) Host: www.myhost.com 28 [POST payload not available] HTTP/1.0 400 Bad Request Content-Length: 302 Connection: close Content-Type: text/html; charset=3Diso-8859-1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 10.10.0.xxx - - [28/Jun/2005:17:11:30 +0200] "GET=20 /../config.dat HTTP/1.0" 400 302 Handler: (null) ---------------------------------------- GET /../config.dat HTTP/1.0 Connection: Keep-Alive Content-Length: 0 User-Agent: Mozilla/4.75 (Nikto/1.34 ) Host: www.myhost.com 28 [POST payload not available] HTTP/1.0 400 Bad Request Content-Length: 302 Connection: close Content-Type: text/html; charset=3Diso-8859-1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --=20 ______________________________ Christian Martorella e-Security Engineer cma...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA. 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |
|
From: Ivan R. <iv...@we...> - 2005-06-28 15:40:21
|
Christian Martorella wrote: > Hi i was trying some logs for the modsecurity Console, and i found these > entries (generated by Nikto): > Why there is not Modsecurity_message? > Why there is no Action? modsecurity 1.9dev2 logs certain requests based only on the response status code (I will change this to be just an option before the final 1.9). So it is probably that Apache rejected those requests before they reached mod_security. You can verify this theory by looking at the debug log (at level 2 or more). > Why sometimes the Handler is proxy-server, and others null? Sometimes a request can be rejected before Apache decides what to do with it. In such cases, the handler is still unknown. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Christian M. <cma...@is...> - 2005-06-28 15:43:57
|
Ivan Ristic wrote: > Christian Martorella wrote: > >> Hi i was trying some logs for the modsecurity Console, and i found=20 >> these entries (generated by Nikto): >> Why there is not Modsecurity_message? >> Why there is no Action? > > > modsecurity 1.9dev2 logs certain requests based only on the > response status code (I will change this to be just an option before > the final 1.9). So it is probably that Apache rejected > those requests before they reached mod_security. You can verify > this theory by looking at the debug log (at level 2 or more). > Fine, so why apache rejected those requests, before reaching the=20 modsecurity ? :) > >> Why sometimes the Handler is proxy-server, and others null? > > > Sometimes a request can be rejected before Apache decides what > to do with it. In such cases, the handler is still unknown. > Ok. Thanks! --=20 _________________________________ Christian Martorella e-Security Engineer cma...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA. 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |
|
From: Ivan R. <iv...@we...> - 2005-06-28 15:48:08
|
Christian Martorella wrote: > Ivan Ristic wrote: > >> Christian Martorella wrote: >> >>> Hi i was trying some logs for the modsecurity Console, and i found >>> these entries (generated by Nikto): >>> Why there is not Modsecurity_message? >>> Why there is no Action? >> >> modsecurity 1.9dev2 logs certain requests based only on the >> response status code (I will change this to be just an option before >> the final 1.9). So it is probably that Apache rejected >> those requests before they reached mod_security. You can verify >> this theory by looking at the debug log (at level 2 or more). >> > Fine, so why apache rejected those requests, before reaching the > modsecurity ? :) Because at the moment mod_security runs last, just before the handler is run. I am thinking about moving mod_security to run first, but only in v2. It's not really clear which option is better. For example, if we run very early we don't get to access Apache's per-context configuration (e.g. <Location>). So in order to retain the same functionality we have now the whole configuration mechanism would have to be replicated internal to modsecurity. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
Thanks for helping keep SourceForge clean.
X