modsecurity 2.5.13 - most recent delayed rules
I hope this shouldn't be obvious to me but I'm trying to track down an entry that is found very frequently in my audit_log. The following entry with little but time and sequence variation makes up 9/10ths of my audit log.
I'm going to paste two that came back to back so you can get the idea. Please notice that the source and destination Ip addresses are the same and are mine/the servers (the ip has been altered and is not the ip of my server for reasons you understand) that these errors are being generated on. It doesn't give me any real indication I can see of the rule that is triggering this so any help is much appreciated.
--3f38347e-A--
[22/Oct/2011:15:30:18 --0500] DuBW538AAAEAADRGGO8AAAAX 7X.5X.2X.6X 38206 7X.5X.2X.6X 80
--3f38347e-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X
--3f38347e-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html
--3f38347e-H--
Apache-Handler: php5-script
Stopwatch: 1319315418666727 4128 (2003 3051 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)
--3f38347e-Z--
--9766ea18-A--
[22/Oct/2011:15:35:20 --0500] IODhI38AAAEAAC1QkOsAAAAA 7X.5X.2X.6X 38223 7X.5X.2X.6X 80
--9766ea18-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X
--9766ea18-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html
--9766ea18-H--
Apache-Handler: php5-script
Stopwatch: 1319315720692003 4023 (1951 2986 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)
--9766ea18-Z--
Question on entry in audit_log
-
- Forum User
- Posts: 5
- Joined: Sat Oct 22, 2011 7:40 pm
- Location: USA
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Question on entry in audit_log
A rule isnt being triggered, modsecurity is just logging that you had a 403 error which apache generated. So your 403s have nothing to do with the rules. You need to look at your apache logs to see whats the source of your 403 errors (which is not modsecurity, the H header would contain the rule thats triggered, and as there is no rule logged, there is rule being triggered).
The cause could be a configuration issue such as directory permissions, file permissions, etc. It could be the application is returning a 403, an htaccess rule is doing it, mod_rewrite rule, etc. Or even a server configuration issue.
But its not modsecurity or a modsecurity rules. Modsecurity is just reporting a 403.
The cause could be a configuration issue such as directory permissions, file permissions, etc. It could be the application is returning a 403, an htaccess rule is doing it, mod_rewrite rule, etc. Or even a server configuration issue.
But its not modsecurity or a modsecurity rules. Modsecurity is just reporting a 403.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum User
- Posts: 5
- Joined: Sat Oct 22, 2011 7:40 pm
- Location: USA
Re: Question on entry in audit_log
Perfect sir I was wondering why it wasn't telling me the ruleset that was what was confusing me. Sorry I didn't know that it logged other 403's that way and thank you very much for the explanation.
-
- Forum User
- Posts: 5
- Joined: Sat Oct 22, 2011 7:40 pm
- Location: USA
Re: Question on entry in audit_log
As you said and you were correct there were entries in the .htaccess that were filtering for known bad events and returning and redirecting to the index with a 403 error. Thank you very much for your advice/assistance.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Question on entry in audit_log
Glad I could help. Dont hesitate to ask for assistance in the future.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone