Thread: Re: [mod-security-users] custom access logs and mod_security-relevant
Brought to you by:
victorhora,
zimmerletw
From: Jim H. - U. H. <hos...@uu...> - 2007-11-07 03:12:27
|
> -----Original Message----- > From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > > > > I can't figure out how to match entries in the modsec_debug.log with > > entries > > in the modsec_audit.log, except by exact time. > [Ryan Barnett] This is a bit kludgy, but you can match up the > entries in > the modsec_debug.log with the modsec_audit.log by correlating the > mod_unique_id info. For instance, you can grab the unique_id from the > "A" line of the modsec_audit.log entry - > > --7aad7935-A-- > [22/Jun/2007:22:25:03 --0400] fL36e8CoD4QAAHDzAkoAAAAA 192.168.10.16 > 2684 192.168.10.27 80 > > Then, if you grep for the unique_id string in the > modsec_debug.log file, > you will get the 1st entry where it lists the same unique_id string - > > # grep fL36e8CoD4QAAHDzAkoAAAAA modsec_debug.log > [22/Jun/2007:22:25:03 --0400] > [webapphoneypot/sid#8423f48][rid#85931b8][/cgi-bin/foo.php][4] > Initialising transaction (txid fL36e8CoD4QAAHDzAkoAAAAA). My modsec_debug.log entries don't have the txid: [04/Nov/2007:01:48:48 --0600] [www.xxxx.net/sid#828de708][rid#8478fa08][/modules/coppermine/themes/default /theme.php][1] Access denied with code 501 (phase 2). Pattern match "\\bwget\\b" at ARGS:cmd. [id "950907"] [msg "System Command Injection. Matched signature <wget>"] [severity "CRITICAL"] > > How do I restrict the modsec_custom.log to just errors? All I am > getting > > is > > the Code 200 messages. > [Ryan Barnett] Are there ModSecurity message entries in the error_log > file? Yes. They are just moved: # tail -1000 /home/virtual/<domain-name>/var/log/httpd/error_log | grep denied [Sun Nov 04 11:17:44 2007] [error] [client 212.0.109.103] ModSecurity: Access denied with code 500 (phase 2). Match of "rx ^[0-9a-z]*$" against "ARGS:PHPSESSID" required. [hostname "szentegyhaza.unitarius-halo.net"] [uri "/vlahica2003/vendegkonyv/."] [unique_id "k-y5@kVeaLQAAH-iCYoAAAAj"] I usually look at the debug file: # tail -1000 modsec_debug.log | grep denied | grep "11:17:44" [04/Nov/2007:11:17:44 --0600] [www.<domain-name>/sid#828de708][rid#837749d0][/vlahica2003/vendegkonyv/][1] Access denied with code 500 (phase 2). Match of "rx ^[0-9a-z]*$" against "ARGS:PHPSESSID" required. I think I found my problem. I put my SecDefaultAction in modsecurity_crs_10_config.conf not modsecurity_crs_40_generic_attacks.conf. How do I over-ride the SecDefaultAction value in modsecurity_crs_40_generic_attacks.conf without modifying modsecurity_crs_40_generic_attacks.conf? I have been good about not changing my config files, except modsecurity_crs_15_customrules.conf and modsecurity_crs_95_customrules.conf. Thanks for the help. Jim ----- Jim Hermann <hostmaster@UUism.net> UUism Networks <http://www.UUism.net> Ministering to the Needs of Online UUs Web Hosting, Email Services, Mailing Lists ----- |
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-11-29 18:17:30
|
> -----Original Message----- > From: Jim Hermann - UUN Hostmaster [mailto:hos...@uu...] > Sent: Tuesday, November 06, 2007 10:05 PM > To: Ryan Barnett; mod...@li... > Subject: RE: [mod-security-users] custom access logs and mod_security- > relevant >=20 > > -----Original Message----- > > From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > > > > > > I can't figure out how to match entries in the modsec_debug.log with > > > entries > > > in the modsec_audit.log, except by exact time. > > [Ryan Barnett] This is a bit kludgy, but you can match up the > > entries in > > the modsec_debug.log with the modsec_audit.log by correlating the > > mod_unique_id info. For instance, you can grab the unique_id from the > > "A" line of the modsec_audit.log entry - > > > > --7aad7935-A-- > > [22/Jun/2007:22:25:03 --0400] fL36e8CoD4QAAHDzAkoAAAAA 192.168.10.16 > > 2684 192.168.10.27 80 > > > > Then, if you grep for the unique_id string in the > > modsec_debug.log file, > > you will get the 1st entry where it lists the same unique_id string - > > > > # grep fL36e8CoD4QAAHDzAkoAAAAA modsec_debug.log > > [22/Jun/2007:22:25:03 --0400] > > [webapphoneypot/sid#8423f48][rid#85931b8][/cgi-bin/foo.php][4] > > Initialising transaction (txid fL36e8CoD4QAAHDzAkoAAAAA). >=20 > My modsec_debug.log entries don't have the txid: >=20 > [04/Nov/2007:01:48:48 --0600] > [www.xxxx.net/sid#828de708][rid#8478fa08][/modules/coppermine/themes/def au > lt > /theme.php][1] Access denied with code 501 (phase 2). Pattern match > "\\bwget\\b" at ARGS:cmd. [id "950907"] [msg "System Command Injection. > Matched signature <wget>"] [severity "CRITICAL"] >=20 [Ryan Barnett] You would need to increase the SecDebugLog to at least 4 to get this txid line. >=20 > I think I found my problem. I put my SecDefaultAction in > modsecurity_crs_10_config.conf not > modsecurity_crs_40_generic_attacks.conf. >=20 > How do I over-ride the SecDefaultAction value in > modsecurity_crs_40_generic_attacks.conf without modifying > modsecurity_crs_40_generic_attacks.conf? I have been good about not > changing my config files, except modsecurity_crs_15_customrules.conf and > modsecurity_crs_95_customrules.conf. >=20 [Ryan Barnett] In this context, you will probably need to just go ahead and edit the SecDefaultAction in that file as there is no easy way to over ride that directive by setting a rule in another file. |