nadzree
commented
9 years ago Actually that's not the problem at line 85 Instead at line 88
The second line string in this apache ver 2.4.6 having various type of string [12/Aug/2015:01:35:15 +0800] VcoyU5WO5y2fWjaSyc09zgAAAAA 1.1.1.1 64693 2.2.2.2 80
OR
[19/Aug/2015:23:54:15 +0800] VdSmp-Dmmo0X5ofhg02qlwAAAAk 1.1.1.1 58314 2.2.2.2 80
Or Even
[19/Aug/2015:07:22:34 +0800] VdO@On8AAAEAAM3FlrYAAAAL 1.1.1.1 37589 2.2.2.2 80
So I've solve it by altering the preg_match from:
/^[(\d{1,2})\/(\w{3})\/(\d{4}):(\d{2}:\d{2}:\d{2})\s(--\d{4}|+\d{4})]\s([a-zA-Z0-9-\@]{24})\s([12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2})\s(\d{1,5})/i To: /^[(\d{1,2})\/(\w{3})\/(\d{4}):(\d{2}:\d{2}:\d{2})\s(--\d{4}|+\d{4})]\s([a-zA-Z0-9\@-]{24,27})\s([12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2}.[12]?[0-9]{1,2})\s(\d{1,5})/i
klaubert
I've try to diagnosed the issue and the string get stucked at:
https://github.com/klaubert/waf-fle/blob/master/controller/index.php Line 85
Phase A if (preg_match('/^--[a-f0-9]+-[BCEFHIKZ]--$/i', trim($BODY[$line]))) { break; }
This is my $BODY[$line]
-bdc00616-A-- [12/Aug/2015:00:18:29 +0800] VcogVUWrijQmSCa2jQ1Z-AAAAAs 2.2.2.2 62315 1.1.1.1 80 --bdc00616-B--
I have no problem with other apache server and have installed 8 sensors without any problem. This is a sample of a success $BODY[$line]
--7a8d2675-A-- [12/Aug/2015:00:18:55 +0800] VcogbX8AAAEAACdPb4wAAAAE 2.2.2.2 55002 1.1.1.1 80 --7a8d2675-B--
Working On : Apache/2.2.15 (CentOS) Not Working On : Apache/2.4.6 (CentOS)