Question on entry in audit_log

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
darkestweb
Forum User
Forum User
Posts: 5
Joined: Sat Oct 22, 2011 7:40 pm
Location: USA

Question on entry in audit_log

Unread post by darkestweb »

modsecurity 2.5.13 - most recent delayed rules

I hope this shouldn't be obvious to me but I'm trying to track down an entry that is found very frequently in my audit_log. The following entry with little but time and sequence variation makes up 9/10ths of my audit log.

I'm going to paste two that came back to back so you can get the idea. Please notice that the source and destination Ip addresses are the same and are mine/the servers (the ip has been altered and is not the ip of my server for reasons you understand) that these errors are being generated on. It doesn't give me any real indication I can see of the rule that is triggering this so any help is much appreciated.


--3f38347e-A--
[22/Oct/2011:15:30:18 --0500] DuBW538AAAEAADRGGO8AAAAX 7X.5X.2X.6X 38206 7X.5X.2X.6X 80
--3f38347e-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X

--3f38347e-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html

--3f38347e-H--
Apache-Handler: php5-script
Stopwatch: 1319315418666727 4128 (2003 3051 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)

--3f38347e-Z--

--9766ea18-A--
[22/Oct/2011:15:35:20 --0500] IODhI38AAAEAAC1QkOsAAAAA 7X.5X.2X.6X 38223 7X.5X.2X.6X 80
--9766ea18-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X

--9766ea18-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html

--9766ea18-H--
Apache-Handler: php5-script
Stopwatch: 1319315720692003 4023 (1951 2986 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)

--9766ea18-Z--
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Question on entry in audit_log

Unread post by mikeshinn »

A rule isnt being triggered, modsecurity is just logging that you had a 403 error which apache generated. So your 403s have nothing to do with the rules. You need to look at your apache logs to see whats the source of your 403 errors (which is not modsecurity, the H header would contain the rule thats triggered, and as there is no rule logged, there is rule being triggered).

The cause could be a configuration issue such as directory permissions, file permissions, etc. It could be the application is returning a 403, an htaccess rule is doing it, mod_rewrite rule, etc. Or even a server configuration issue.

But its not modsecurity or a modsecurity rules. Modsecurity is just reporting a 403.
darkestweb
Forum User
Forum User
Posts: 5
Joined: Sat Oct 22, 2011 7:40 pm
Location: USA

Re: Question on entry in audit_log

Unread post by darkestweb »

Perfect sir I was wondering why it wasn't telling me the ruleset that was what was confusing me. Sorry I didn't know that it logged other 403's that way and thank you very much for the explanation.
darkestweb
Forum User
Forum User
Posts: 5
Joined: Sat Oct 22, 2011 7:40 pm
Location: USA

Re: Question on entry in audit_log

Unread post by darkestweb »

As you said and you were correct there were entries in the .htaccess that were filtering for known bad events and returning and redirecting to the index with a 403 error. Thank you very much for your advice/assistance.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Question on entry in audit_log

Unread post by mikeshinn »

Glad I could help. Dont hesitate to ask for assistance in the future.
Post Reply