Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transaction ID can not be parsed from ModSecurity audit files on CentOS/Red Hat #55

Open
sbraz opened this issue Jun 30, 2016 · 2 comments
Open

Transaction ID can not be parsed from ModSecurity audit files on CentOS/Red Hat #55

sbraz opened this issue Jun 30, 2016 · 2 comments

Comments

@sbraz
Copy link

sbraz commented Jun 30, 2016
edited
Loading

My audit files do not match the format expected by waf-fle, they look like:

--74465f2d-A--
[30/Jun/2016:09:48:26 +0200] V3TOycCW2-NlccywEUMUtwAAABU 172.24.30.6 57673 172.24.30.6 80
--74465f2d-B--

While they look like this on another system (Ubuntu) with version 2.7.7:

--48598751-A--
[30/Jun/2016:10:20:47 +0200] V3TWXwoAKl4AAAeZgZMAAADu 180.76.15.158 60268 10.0.42.111 11180
--48598751-B--

This prevents this line from matching and makes the controller return IPv6 not supported by now, sorry.

I just changed the expected length of the ID (from 24 to 27) and I guess you should make the regex less restrictive. Here is the diff I applied locally.

diff --git a/controller/index.php b/controller/index.php
index 5eb228d..2923253 100644
--- a/controller/index.php
+++ b/controller/index.php
@@ -85,7 +85,8 @@ while ( $line < $BodySize) {
             if (preg_match('/^\-\-[a-f0-9]+\-[BCEFHIKZ]\-\-$/i', trim($BODY[$line]))) {
                 break;
             } else {
-                if (preg_match('/^\[(\d{1,2})\/(\w{3})\/(\d{4})\:(\d{2}\:\d{2}\:\d{2})\s(\-\-\d{4}|\+\d{4})\]\s([a-zA-Z0-9\-\@]{24})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})/i',
+                if (preg_match('/^\[(\d{1,2})\/(\w{3})\/(\d{4})\:(\d{2}\:\d{2}\:\d{2})\s(\-\-\d{4}|\+\d{4})\]\s([a-zA-Z0-9\-\@]{27})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})/i',
+
             trim($BODY[$line]), $matchesA)) {
                     $PhaseA['Day'] = $matchesA[1];
                     $months        = array(null, 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
@sbraz sbraz changed the title Transaction ID can not be parsed from ModSecurity 2.7.3 audit files Transaction ID can not be parsed from ModSecurity audit files on CentOS/Red Hat Jun 30, 2016
@sbraz
Copy link
Author

sbraz commented Jun 30, 2016

After a bit of research, it appears that this is caused by a change to Apache mod_unique_id on Red Hat systems. Here are the relevant bug and the patch.
I'm not 100% sure the ID will always have a length of 27, maybe it would be safer to just assume that their size can change and just use \s([a-zA-Z0-9\-\@]+)\sas it would always match.

@diveshu
Copy link

diveshu commented Apr 10, 2017

With debian 6.0.5, in modsec_audit.log, the log format is as given in below format:

"domain.com 192.168.0.9 - - [10/Apr/2017:13:30:36 +051800] "POST /form.php HTTP/1.1" 403 238 "-" "-" WOs7pH8AAQEAAA0OBBgAAAAG "-" /20170410/20170410-1330/20170410-133036-WOs7pH8AAQEAAA0OBBgAAAAG 0 1765 md5:ac521dc39b114c8b39aaa2769c818fca"

1)No entry found in the mysql database.
2) Using mlog2waffle daemon
3) while running in debug mode, i see the below error
"IPv6 not supported by now, sorry"
What could be the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbraz @diveshu