[client <ip address>] field is missing in modsec_audit.log in section H
#3174
Comments
n-rodriguez
changed the title
[client <ip address>] field is missing in modsec_audit.log in section H[client <ip address>] field is missing in modsec_audit.log in section H
|
Hi @n-rodriguez, thanks for reporting!
it's definitely not a bug - it's by feature.
but not that format. where the field
[...] Thanks for examples, those helped me understand the issue. could you show us how looks like the The expected setting is this: so you must set up the severity, which should be I'm almost sure you don't have any severity, then the default value is applied (
In this example the
I'm not sure this is a good idea globally - just think about other users who already has their own logparser subsystem, and now an update changes the existing log format. Btw I don't know exactly is that a tradition or not, but all log entry starts with the string "ModSecurity: ...". It's true in both case of engines: mod_security2 and libmodsecurity3. A parser could know that "this is the entry point" :) Moreover, audit log is a very special type of log, so I'm sure everyone who uses that to analyze the traffic can extract every necessary info, including client IP. And therefore it would be good to break this format.
Beside the others this is not so elegant way to solve this problem. If a line is not necessary, then you should remove it, not just make a comment. But if you follow the function call stack, you can see that this function is at the end. There are some other implementations of Hope this helped to clarify the context. |
Thanks for the hint. It helps but it's not perfect : log entries appear twice in Nginx 2024/06/20 22:15:23 [info] 93593#93593: *2 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/data/nginx/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "556"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.3.27.225"] [uri "/"] [unique_id "171891452325.138961"] [ref "o1,6v10,7t:cmdLine,t:normalizePath"], client: 10.3.24.3, server: _, request: "GET /?bar=/bin/sh HTTP/1.1", host: "test-waf01"
2024/06/20 22:15:23 [info] 93593#93593: *2 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/data/nginx/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.3.27.225"] [uri "/"] [unique_id "171891452325.138961"] [ref ""], client: 10.3.24.3, server: _, request: "GET /?bar=/bin/sh HTTP/1.1", host: "test-waf01"
2024/06/20 22:15:23 [info] 93593#93593: *2 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/data/nginx/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "556"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "10.3.27.225"] [uri "/"] [unique_id "171891452354.440282"] [ref "o1,6v10,7t:cmdLine,t:normalizePath"], client: 10.3.24.3, server: _, request: "GET /?bar=/bin/sh HTTP/1.1", host: "test-waf01"
2024/06/20 22:15:23 [info] 93593#93593: *2 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/data/nginx/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.3.27.225"] [uri "/"] [unique_id "171891452354.440282"] [ref ""], client: 10.3.24.3, server: _, request: "GET /?bar=/bin/sh HTTP/1.1", host: "test-waf01"
2024/06/20 22:15:23 [info] 93593#93593: *2 client 10.3.24.3 closed keepalive connectionThe only differences are the [unique_id "171891452325.138961"]
[unique_id "171891452354.440282"]Btw I think it should be documented somewhere.
yes
I agree
I'd love to see how you do that
Of course, it was just for testing ;) |
so, THIS is a known bug 😄!
thanks,
I don't know - I never use audit log to check the traffic. All necessary info is in error.log. I use libmsclogparser to parse log entries. In case of Apache (mod_security2) there are some special info which appear only in error.log, but not in audit.log. |
|
What I don't understand is : under which conditions Because it seems that this code is never called (=> the if (props & ClientLogMessageInfo) {
msg.append("[client " + std::string(*rm->m_clientIpAddress.get()) + "] ");
}or I'm missing something... |
I'm not sure there is any call where that condition fits.
yes, you are right.
no, you don't miss anything. This function (if I'm right) never called directly, only the |
Well... IMHO this function is called because my patch works but this condition |
Meanwhile I corrected that sentence and appended the "directly" word... |
Seems like it was in (or before) 2020 - may be then that function was called directly. Or the author had some similar patch like yours. I'm not sure it worth to waste any time to figure out the reason of that log entry. Update: please take a look this commit - before this there was a similar method with different name, then the mentioned field was always appended to the log. |
Nice catch 👍 |
|
Hi @n-rodriguez, do you have any idea how should we solve this (if we need to do that at all)? Cc: @eduar-hte. |
|
Hi @airween! we finally solved this by setting Log entries still appear twice in Nginx I think we can close this issue. Thank you! |
Hi there!
I don't know if it's a bug but the
[client <ip address>]field is missing inmodsec_audit.loginsection H.I know the client ip address is present in
section Abut it's not very handy to use because it forces you to do some correlations between the different sections especially when the logs reach our Graylog server :section Acontains the client ipsection Hthe actual error/reason for denyOn the other side, Nginx error logs do contain the client ip but :
SecRuleEngineis set toOn=> it doesn't fill Nginx error logs inDetectionOnlymodeExample :
Detection mode :
modsec_audit.log:Nginx
error.log: emptyBlock mode :
modsec_audit.log:Nginx
error.log:It would be nice to have the client ip in
modsec_audit.loglike :To do so I've rebuilt the Debian package with a small patch :
It seems to work in both mode (Detection mode and Block mode, the logs above were generated with this patch) but I'd like to have your opinion on this.
Thank you!
The text was updated successfully, but these errors were encountered: