Hello,
I'm using nginx 1.9.x with modsecurity refactoring version but having
troubles with the modsecurity audit log, where should be the origin IP
I'm getting my hostname (waf).
There anybody know how to get the source IP for the blocked request ?
Audit Log:
[27/Feb/2018:16:26:45 --0300]
[waf/sid#7f34b85370a0][rid#7f34b01fb0a0][/botellas.php][1] Access denied
with code 403 (phase 2). Pattern match
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
at ARGS:id. [file
"/opt/waf/nginx/etc/modsec_rules/www.vinicas.cl/enabled_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"] [data "Matched Data: '' found within
ARGS:id: ''"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity
"9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
Cheers!
--
--
Chris
|
