store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Jul 28, 2014 6:18 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Question on entry in audit_log
Unread postPosted: Sat Oct 22, 2011 7:59 pm 
Offline
Forum User
Forum User

Joined: Sat Oct 22, 2011 7:40 pm
Posts: 5
Location: USA
modsecurity 2.5.13 - most recent delayed rules

I hope this shouldn't be obvious to me but I'm trying to track down an entry that is found very frequently in my audit_log. The following entry with little but time and sequence variation makes up 9/10ths of my audit log.

I'm going to paste two that came back to back so you can get the idea. Please notice that the source and destination Ip addresses are the same and are mine/the servers (the ip has been altered and is not the ip of my server for reasons you understand) that these errors are being generated on. It doesn't give me any real indication I can see of the rule that is triggering this so any help is much appreciated.


--3f38347e-A--
[22/Oct/2011:15:30:18 --0500] DuBW538AAAEAADRGGO8AAAAX 7X.5X.2X.6X 38206 7X.5X.2X.6X 80
--3f38347e-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X

--3f38347e-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html

--3f38347e-H--
Apache-Handler: php5-script
Stopwatch: 1319315418666727 4128 (2003 3051 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)

--3f38347e-Z--

--9766ea18-A--
[22/Oct/2011:15:35:20 --0500] IODhI38AAAEAAC1QkOsAAAAA 7X.5X.2X.6X 38223 7X.5X.2X.6X 80
--9766ea18-B--
GET / HTTP/1.1
Host: 7X.5X.2X.6X

--9766ea18-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.3.8
Content-Length: 3985
Content-Type: text/html

--9766ea18-H--
Apache-Handler: php5-script
Stopwatch: 1319315720692003 4023 (1951 2986 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache/2.0.52 (Red Hat)

--9766ea18-Z--


Top
 Profile  
 
 Post subject: Re: Question on entry in audit_log
Unread postPosted: Sat Oct 22, 2011 8:35 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3603
Location: Chantilly, VA
A rule isnt being triggered, modsecurity is just logging that you had a 403 error which apache generated. So your 403s have nothing to do with the rules. You need to look at your apache logs to see whats the source of your 403 errors (which is not modsecurity, the H header would contain the rule thats triggered, and as there is no rule logged, there is rule being triggered).

The cause could be a configuration issue such as directory permissions, file permissions, etc. It could be the application is returning a 403, an htaccess rule is doing it, mod_rewrite rule, etc. Or even a server configuration issue.

But its not modsecurity or a modsecurity rules. Modsecurity is just reporting a 403.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Question on entry in audit_log
Unread postPosted: Sat Oct 22, 2011 9:25 pm 
Offline
Forum User
Forum User

Joined: Sat Oct 22, 2011 7:40 pm
Posts: 5
Location: USA
Perfect sir I was wondering why it wasn't telling me the ruleset that was what was confusing me. Sorry I didn't know that it logged other 403's that way and thank you very much for the explanation.


Top
 Profile  
 
 Post subject: Re: Question on entry in audit_log
Unread postPosted: Sun Oct 23, 2011 12:23 am 
Offline
Forum User
Forum User

Joined: Sat Oct 22, 2011 7:40 pm
Posts: 5
Location: USA
As you said and you were correct there were entries in the .htaccess that were filtering for known bad events and returning and redirecting to the index with a 403 error. Thank you very much for your advice/assistance.


Top
 Profile  
 
 Post subject: Re: Question on entry in audit_log
Unread postPosted: Sun Oct 23, 2011 8:02 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3603
Location: Chantilly, VA
Glad I could help. Dont hesitate to ask for assistance in the future.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group