logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Setting Log Level for mod_security

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Wed 26 Oct '05 20:19    Post subject: Setting Log Level for mod_security Reply with quote

It seems that since I have upgraded to mod_security 1.9RC that any time a chained rule is matched, regardless of the rule being violated or not, it gets logged.

For example, in my mod_security settings for a PHPBB forum I have a rule:

Code:
         SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain
         SecFilterSelective ARG_highlight "chr\("
         SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$" chain
         SecFilterSelective ARG_highlight "%27"

Perhaps I don't need this code with the upgraded PHPBB but never the less here is what I am finding to be a problem. Any time a visitor views a topic, there is an entry into the security.log file, even though there was no action taken because the rule was not violated.

Here is a part of the typical entry into the security.log:

Code:
==4d070000==============================
Request: bb.webbywarehouse.com 70.89.131.49 - - [26/Oct/2005:08:35:15 --0700] "GET /viewtopic.php?t=876&sid=xxxxxxxxxx3778f0025d061293bc34b HTTP/1.1" 200 5943 "(null)" "http://bb.webbywarehouse.com/" Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1 "-"
----------------------------------------
GET /viewtopic.php?t=876&sid=xxxxxxxxxx6dcf3778f0025d061293bc34b HTTP/1.1
Host: bb.webbywarehouse.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://bb.webbywarehouse.com/
Cookie: ww_login=xxxxxxxxxxxxxxxxxxxxxxxxxx; WebbyForum_data=xxxxxxxxxxxxxx11%3A%22autologinidxxxxxxxxxxx3A%22be682e63f5c2b2b99710a26644129c5a%22%3Bs%3A6%3A%22useridxxxxx3A2%3B%7D; WebbyForum_sid=xxxxxxxxxxx778f0025d061293bc34b
mod_security-message: Warning (chained rule). Pattern match "viewtopic\\.php$" at SCRIPT_FILENAME

HTTP/1.1 200 OK
X-Powered-By: PHP/4.4.0
Set-Cookie: WebbyForum_t=xxxxxxx%3A876%3Bi%3A1130340915%3B%7D; path=/
Cache-Control: private, pre-check=0, post-check=0, max-age=0
Expires: 0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 5943
Keep-Alive: timeout=20, max=214
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
--4d070000--
I added the xxxxxx just because ....

Please specifically note the:

mod_security-message: Warning (chained rule). Pattern match "viewtopic\\.php$" at SCRIPT_FILENAME

HTTP/1.1 200 OK


... where there is no action taken, but that the access is logged anyway. How can I force only blocked actions due to a specific rule violation to be blocked?

Thank you.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Wed 26 Oct '05 20:31    Post subject: Reply with quote

You should be able to add "nolog" to the rule to supress it.

For example:

SecFilterSelective SCRIPT_FILENAME "viewtopic\.php$ nolog,chain


Steffen
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Wed 26 Oct '05 20:40    Post subject: Reply with quote

Hi Steffen,

Your solution has been installed, tested, and found to be true. Your solution is what I was seeking.

Thank you very much. I now need to review the docs to see just why I did not realize that myself.

--
Brian
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Thu 03 Nov '05 13:42    Post subject: Reply with quote

I got the following additional note from Ivan:
Ivan wrote:
> You should be able to add "nolog" to the rule to supress it.

But this approach has some unexpected side-effects. If a rule
after the one with "nolog" triggers the request will not be
recorded in the audit log. Although further attempts can be
made (with "auditlog") to restore this functionality, I have
decided to simply move the above warning to level 3 (from
level 1). This works as of 1.9RC4.

I don't expect any more RC releases so maybe you should not
upgrade to 1.9RC4. 1.9 stable will be released over the weekend.



Steffen
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1