search

klaubert / waf-fle

WAF-FLE, ModSecurity Console
http://waf-fle.org
GNU General Public License v2.0
140 stars 74 forks source link

Transaction ID can not be parsed from ModSecurity audit files on CentOS/Red Hat #55

Open sbraz opened 8 years ago

sbraz commented 8 years ago

My audit files do not match the format expected by waf-fle, they look like:

--74465f2d-A--
[30/Jun/2016:09:48:26 +0200] V3TOycCW2-NlccywEUMUtwAAABU 172.24.30.6 57673 172.24.30.6 80
--74465f2d-B--

While they look like this on another system (Ubuntu) with version 2.7.7:

--48598751-A--
[30/Jun/2016:10:20:47 +0200] V3TWXwoAKl4AAAeZgZMAAADu 180.76.15.158 60268 10.0.42.111 11180
--48598751-B--

This prevents this line from matching and makes the controller return IPv6 not supported by now, sorry.

I just changed the expected length of the ID (from 24 to 27) and I guess you should make the regex less restrictive. Here is the diff I applied locally.

diff --git a/controller/index.php b/controller/index.php
index 5eb228d..2923253 100644
--- a/controller/index.php
+++ b/controller/index.php
@@ -85,7 +85,8 @@ while ( $line < $BodySize) {
             if (preg_match('/^\-\-[a-f0-9]+\-[BCEFHIKZ]\-\-$/i', trim($BODY[$line]))) {
                 break;
             } else {
-                if (preg_match('/^\[(\d{1,2})\/(\w{3})\/(\d{4})\:(\d{2}\:\d{2}\:\d{2})\s(\-\-\d{4}|\+\d{4})\]\s([a-zA-Z0-9\-\@]{24})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})/i',
+                if (preg_match('/^\[(\d{1,2})\/(\w{3})\/(\d{4})\:(\d{2}\:\d{2}\:\d{2})\s(\-\-\d{4}|\+\d{4})\]\s([a-zA-Z0-9\-\@]{27})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})/i',
+
             trim($BODY[$line]), $matchesA)) {
                     $PhaseA['Day'] = $matchesA[1];
                     $months        = array(null, 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
sbraz commented 8 years ago

After a bit of research, it appears that this is caused by a change to Apache mod_unique_id on Red Hat systems. Here are the relevant bug and the patch. I'm not 100% sure the ID will always have a length of 27, maybe it would be safer to just assume that their size can change and just use \s([a-zA-Z0-9\-\@]+)\sas it would always match.

diveshu commented 7 years ago

With debian 6.0.5, in modsec_audit.log, the log format is as given in below format:

"domain.com 192.168.0.9 - - [10/Apr/2017:13:30:36 +051800] "POST /form.php HTTP/1.1" 403 238 "-" "-" WOs7pH8AAQEAAA0OBBgAAAAG "-" /20170410/20170410-1330/20170410-133036-WOs7pH8AAQEAAA0OBBgAAAAG 0 1765 md5:ac521dc39b114c8b39aaa2769c818fca"

1)No entry found in the mysql database. 2) Using mlog2waffle daemon 3) while running in debug mode, i see the below error "IPv6 not supported by now, sorry" What could be the issue?