I see a number of interceptions using the Real Time Rules that end up being logged without a Section C at all - but with a Sections ABIFH - Section I is quite short - for example
--709f8228-I--
port=33333×tamp=1373267&data=[a 40 character uuencoded string]
This particular interception was logged in H as
--709f8228-H--
Message: Access denied with code 403 (phase 2). Found 1 byte(s) in ARGS:data outside range: 1-255. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "130"] [id "390614"] [rev "23"] [msg "Atomicorp.com WAF Rules: Invalid character in ARGS"] [severity "CRITICAL"]
Apache-Error: [file "core.c"] [line 3706] [level 3] File does not exist: /home/artcreek/ACstats/sapi/403.shtml
Action: Intercepted (phase 2)
etc...
So... I'm trying to nail down where this out of range byte appeared, and I can't see it in the URL parameter 'data''s value. Can anyone tell me what Section I is exactly, and where might I find this dodgy byte value?
Thanks! Steve.
p.s. I already read https://www.atomicorp.com/wiki/index.ph ... _audit_log but this doesn't explain Section I - I have spent some time trying to research Section I and it isn't explained anywhere I can find online.
Modsecurity Audit Log Section Explanation
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Modsecurity Audit Log Section Explanation
You define what sections you want to log in your modsecurity configuration.I see a number of interceptions using the Real Time Rules that end up being logged without a Section C at all - but with a Sections ABIFH - Section I is quite short - for example
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Modsecurity Audit Log Section Explanation
Thank you for your reply. Yes, I know this much - modsec2.user.conf contains > SecAuditLogParts ABIFHZmikeshinn wrote:You define what sections you want to log in your modsecurity configuration.
I am trying to understand why many audit log entries contain Section C (which is not even defined in SecAuditLogParts) and other contain Section I - even though both seem to pertain to the submitted arguments.
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Modsecurity Audit Log Section Explanation
Different parts will be logged that are relevant if logging is set to relevant. For exampe, C will be logged when the payload is in the body. It wont if its not.
And I is part of your configuration, thats why its being logged.
And I is part of your configuration, thats why its being logged.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Modsecurity Audit Log Section Explanation
Thanks Mike, but this leaves me with the original query, where can I find a definition of Section I? The article I referred to in my OP didn't cover Section I.
I realise this isn't ASL specific, but I was hoping someone here might know the answer to this, and also why audit log sections that are clearly not defined in the conf file are being included in the audit logs.
I realise this isn't ASL specific, but I was hoping someone here might know the answer to this, and also why audit log sections that are clearly not defined in the conf file are being included in the audit logs.
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Modsecurity Audit Log Section Explanation
https://www.atomicorp.com/wiki/index.ph ... itLogPartsThanks Mike, but this leaves me with the original query, where can I find a definition of Section I? The article I referred to in my OP didn't cover Section I.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Modsecurity Audit Log Section Explanation
Bingo! Many thanks!mikeshinn wrote:https://www.atomicorp.com/wiki/index.ph ... itLogParts