SecAuditLogPart 'E' is logged even if it is not configured

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

7.67k stars 1.54k forks source link

SecAuditLogPart 'E' is logged even if it is not configured #3113

Closed rahulthackkar closed 1 month ago

rahulthackkar commented 1 month ago

Hello Team,

I have enabled only few parts of audit log to be logged.

SecAuditLogParts AHZ

But still part 'E' is being logged.

--2f30c324-A--
[26/Mar/2024:05:28:01.867837 +0000] ZgJbtUFThpcR0UJWIHSyaAAAAU4 51.161.54.5 9493 172.31.1.33 443
--2f30c324-E--

--2f30c324-H--
Apache-Error: [file "mod_proxy_fcgi.c"] [line 1006] [level 3] [status 70007] AH01075: Error dispatching request to : (polling)
Apache-Handler: proxy:fcgi://mydomain.com
Stopwatch: 1711430581763470 300104389 (- - -)
Stopwatch2: 1711430581763470 300104389; combined=2648, p1=722, p2=1419, p3=109, p4=190, p5=208, sr=133, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--2f30c324-Z--

dune73 commented 1 month ago

Please upgrade to the latest ModSecurity version of the 2.9.x line and report back if that solves your problem.

rahulthackkar commented 1 month ago

It is 2.9.5-1

root@hostname:/# dpkg -l | grep libapache2-mod-security2
ii  libapache2-mod-security2           2.9.5-1                                      amd64        Tighten web applications security for Apache
root@hostname:/#

dune73 commented 1 month ago

I see this in the log line above. Please upgrade to 2.9.7 and then check again.

rahulthackkar commented 1 month ago

Do I need to build it from source or is it available in apt repository? latest version of 2.9.x? I am using ubuntu 22.04.

rahulthackkar commented 1 month ago

As If I build it from source, I need to manually configure rules, loading module in apache etc.. I can do it , but if I can install it using simple command like 'apt install libapache2-mod-security2' what I previously did it will be helpful.

As it automatically installs crs , creates appropriate directory /etc/modsecurity and appropriate conf inside it which I can directly use without any additional configuration.

airween commented 1 month ago

You should try this non-official Debian/Ubuntu repository:

https://modsecurity.digitalwave.hu

rahulthackkar commented 1 month ago

I see this in the log line above. Please upgrade to 2.9.7 and then check again.

Thanks, By upgrading it to 2.9.7, this issue is fixed.