Question on entry in audit_log
Posted: Sat Oct 22, 2011 7:59 pm
modsecurity 2.5.13 - most recent delayed rules
I hope this shouldn't be obvious to me but I'm trying to track down an entry that is found very frequently in my audit_log. The following entry with little but time and sequence variation makes up 9/10ths of my audit log.
I'm going to paste two that came back to back so you can get the idea. Please notice that the source and destination Ip addresses are the same and are mine/the servers (the ip has been altered and is not the ip of my server for reasons you understand) that these errors are being generated on. It doesn't give me any real indication I can see of the rule that is triggering this so any help is much appreciated.
--3f38347e-A--
[22/Oct/2011:15:30:18 --0500] DuBW538AAAEAADRGGO8AAAAX 7X.5X.2X.6X 38206 7X.5X.2X.6X 80
--3f38347e-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X
--3f38347e-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html
--3f38347e-H--
Apache-Handler: php5-script
Stopwatch: 1319315418666727 4128 (2003 3051 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)
--3f38347e-Z--
--9766ea18-A--
[22/Oct/2011:15:35:20 --0500] IODhI38AAAEAAC1QkOsAAAAA 7X.5X.2X.6X 38223 7X.5X.2X.6X 80
--9766ea18-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X
--9766ea18-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html
--9766ea18-H--
Apache-Handler: php5-script
Stopwatch: 1319315720692003 4023 (1951 2986 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)
--9766ea18-Z--
I hope this shouldn't be obvious to me but I'm trying to track down an entry that is found very frequently in my audit_log. The following entry with little but time and sequence variation makes up 9/10ths of my audit log.
I'm going to paste two that came back to back so you can get the idea. Please notice that the source and destination Ip addresses are the same and are mine/the servers (the ip has been altered and is not the ip of my server for reasons you understand) that these errors are being generated on. It doesn't give me any real indication I can see of the rule that is triggering this so any help is much appreciated.
--3f38347e-A--
[22/Oct/2011:15:30:18 --0500] DuBW538AAAEAADRGGO8AAAAX 7X.5X.2X.6X 38206 7X.5X.2X.6X 80
--3f38347e-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X
--3f38347e-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html
--3f38347e-H--
Apache-Handler: php5-script
Stopwatch: 1319315418666727 4128 (2003 3051 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)
--3f38347e-Z--
--9766ea18-A--
[22/Oct/2011:15:35:20 --0500] IODhI38AAAEAAC1QkOsAAAAA 7X.5X.2X.6X 38223 7X.5X.2X.6X 80
--9766ea18-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X
--9766ea18-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html
--9766ea18-H--
Apache-Handler: php5-script
Stopwatch: 1319315720692003 4023 (1951 2986 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)
--9766ea18-Z--