search

owasp-modsecurity / ModSecurity-apache

ModSecurity v3 Apache Connector
Apache License 2.0
87 stars 51 forks source link

unique_id in mod-security audit logs #42

Closed victorhora closed 5 years ago

victorhora commented 6 years ago

@Goron1606 commented on Fri Aug 31 2018

Hello,

Am using,

ModSecurity v3.0.2 (Linux) ModSecurity-Apache v0.1.1-beta connector OWASP_CRS/3.0.2

In 2.x version I use to see unique_id in logs.

Example:-

[Fri Aug 31 02:03:53.739234 2018] 
[:error] 
[pid 29998] 
[client 192.168.4.13] 
ModSecurity: Warning. Pattern match "^[\\\\d.+$" at REQUEST_HEADERS:Host. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "792"] 
[id "920350"] 
[msg "Host header is a numeric IP address"] 
[data "192.168.4.251"] 
[severity "WARNING"] 
[ver "OWASP_CRS/3.1.0"] 
[tag "application-multi"] 
[tag "language-multi"]
 [tag "platform-multi"] 
[tag "attack-protocol"] 
[tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] 
[tag "WASCTC/WASC-21"] 
[tag "OWASP_TOP_10/A7"] 
[tag "PCI/6.5.10"] 
[hostname "192.168.4.251"]
 [uri "/login.php"] 
[unique_id "W4kEeX8AAQEAAHUu-mgAAAAA"]

However, In 3.0.2 version i don't see unique_id in the audit logs. There is only id and server_id parameters.

{
  "transaction": {
    "client_ip": "192.168.4.18",
    "time_stamp": "Fri Aug 31 16:52:59 2018",
    "server_id": "0f06644c20899021750765326d9572e94fb287b9",
    "client_port": 50486,
    "host_ip": "example.com",
    "host_port": 0,
    "id": "15357145790.848493",
    "request": {
      "method": "GET",
      "http_version": 1.1,
      "uri": "/admin.htm",
      "headers": {
        "Host": "example.com",
        "Connection": "keep-alive",
        "Cache-Control": "max-age=0",
        "Upgrade-Insecure-Requests": "1",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/68.0.3440.106 Chrome/68.0.3440.106 Safari/537.36",
        "DNT": "1",
        "Cookie": "autho=456dfgdfg",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "en-US,en;q=0.9"
      }
    },
    "response": {
      "http_code": 403,
      "headers": {}
    },
    "producer": {
      "modsecurity": "ModSecurity v3.0.2 (Linux)",
      "connector": "ModSecurity-Apache v0.1.1-beta",
      "secrules_engine": "Enabled",
      "components": [
        "OWASP_CRS/3.0.2\""
      ]
    },
    "messages": []
  }
}

How can I relate the server's UNIQUE_ID given by mod_unique_id with the mod-security audit logs.

Is there anything am missing? How can I deduce a relationship from audit logs with UNIQUE_ID?

Please let me know.

@victorhora commented on Fri Aug 31 2018

I think this is not implemented for the Apache connector. In libModSecurity, unique transaction IDs are generated by modsecurity::utils::generate_transaction_unique_id() so as not to rely on an external module and become more independent.

zimmerle commented 5 years ago

Fixed by: 8bb515e93ddf0209f196fef2fa5f0a255e34de24

If mod_unique is available on the platform, the transaction ids will be labeled respecting it. Otherwise, the library will handle it internally.