ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

SecAuditLogParts never logs anything for 'K' type (list of rule IDs)

Open mig5 opened this issue 2 years ago • 3 comments

Describe the bug

I want to analyse POST body content but I don't want to print any POST body content (or any actual data snippets from the request, such as cookies etc) to the log file. So I don't want to log 'B', 'C', 'F', 'H', 'J' etc.

I just want to get the time of the event and the rule ID that tripped the blocked request.

I believe the 'K' type in SecAuditLogParts is meant to log the rule ID

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)#SecAuditLogParts

However, in all my logs, the 'K' is always empty. The only meaningful data I can get about the rules that tripped is from 'H', but it contains too many other messages in that log entry such as personal data, which I can't put in logs.

Logs and dumps

Example:

---0s7Btvlo---A--
[17/Feb/2022:02:39:54 +0000] 1645065594 10.42.0.11 0 172.17.0.3 80

---0s7Btvlo---K--

---0s7Btvlo---Z--

To Reproduce

Steps to reproduce the behavior:

Set SecAuditLogParts to 'AKZ' and you'll never get entries for 'K'.

Expected behavior

I should get the rule ID or something like that (? since it's never worked, I don't know what it looks like) when logging K.

Server

  • ModSecurity version: libmodsecurity 3.0.6 (commit hash c3d7f4b560797a052681dcffb97a22bb906487cd), ModSecurity-nginx v1.0.2
  • WebServer Nginx 1.14.0 (the official debian package 1.14.0-0ubuntu1.9 from on Ubuntu 18.04)
  • OS (and distro): Ubuntu Linux 18.04 LTS

Rule Set

  • public coreruleset 3.3.2

mig5 avatar Feb 18 '22 02:02 mig5

Please do not use that linked doc for anything. It says quite explicitly that it is in early stages of DRAFT and should not be relied upon.

martinhsv avatar Feb 18 '22 11:02 martinhsv

OK, but just to be clear, I didn't learn about the logging categories from that document - I linked to it only incidentally.

I originally learned about the logging categories from https://www.nginx.com/blog/modsecurity-logging-and-debugging/

The purpose of this ticket is not 'the documentation is unfinished'. The purpose is 'the logging functionality doesn't work'.

Perhaps what you meant to say is, version 3.x of Modsecurity doesn't yet support all the SecAuditLogParts that 2.x did? Is that the core of the issue?

mig5 avatar Feb 20 '22 20:02 mig5

The 'K' part has never been implemented in ModSecurity v3.

In terms of alternatives, it depends a little on how strictly you "don't want" the other information.

One option could be to use the JSON-format audit log, parse the ruleId from the audit log and put it to another destination -- and then possible delete the audit log format (especially if using concurrent logging).

If you don't like that option for whatever reason (perhaps you have a mandate that no possibly secure information should be output anywhere), you could alternative turn off the audit log and produce your desired output separately. For example, you could use a script to write only the time and rule number to a file.

Be mindful, however, that without any other information besides the rule number, it can be difficult to manage any WAF -- particularly when it comes to winnowing out false positives.

martinhsv avatar Mar 29 '22 17:03 martinhsv