5

I am new to ModSecurity, it works great on the server, but I would like to control the way it logs things. For example as I am troubleshooting my website in order to whitelist or correct php coding problems so that I can have a clean modsec_audit.log when everything is working properly, I came across the following.

Whenever I request a url that is password protected either by basic or htdigest authentication ModSecurity logs this in modsec_audit.log as follows:

htdigest Authentication:

--838e7b1b-A-- [17/Nov/2013:19:13:51 +0200] Uoj5T8CoAWQAABfMVE0AAAAA xxx.xxx.xxx.xxx XXXXX xxx.xxx.xxx.xxx XXXXX --838e7b1b-B-- GET / HTTP/1.1 Host: XXX.XXX.com:XXXX User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive --838e7b1b-F-- HTTP/1.1 401 Authorization Required WWW-Authenticate: Digest realm="Members Only", nonce="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", algorithm=MD5, qop="auth" Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 290 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --838e7b1b-H-- Stopwatch: 1384708431494144 2002 (- - -) Stopwatch2: 1384708431494144 2002; combined=32, p1=0, p2=0, p3=0, p4=0, p5=32, sr=0, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5. Server: Apache --838e7b1b-Z--

or

basic Authentication:

--b8248f7a-A-- [17/Nov/2013:19:28:11 +0200] Uoj8q8CoAWQAABgxs7kAAAAM xxx.xxx.xxx.xxx XXXXX xxx.xxx.xxx.xxx XXXXX --b8248f7a-B-- GET / HTTP/1.1 Host: XXX.XXX.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Connection: keep-alive --b8248f7a-F-- HTTP/1.1 401 Authorization Required WWW-Authenticate: Basic realm="Members Only" Content-Encoding: gzip Vary: Accept-Encoding,User-Agent Cache-Control: no-cache, private, no-transform, must-revalidate, proxy-revalidate, post-check=300, pre-check=300, max-age=300 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html --b8248f7a-H-- Apache-Handler: x-httpd-suphp Stopwatch: 1384709291811105 152463 (- - -) Stopwatch2: 1384709291811105 152463; combined=54, p1=0, p2=0, p3=0, p4=0, p5=54, sr=0, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5. Server: Apache --b8248f7a-Z--

The above logging takes place right after the request, I am not showing what happens on a failed password or a successful one at all.

My question is if there is any way to stop it from logging this. I tried to whitelist my IP but it had no result. I am not sure if it is a good idea to stop it from logging such a thing or not, but I think it will just flood the /var/log/apache2/modsec_audit.log with such information every time "I" even request a password protected url.

Some more info about my server:

# apt-cache show libapache-mod-security | grep Version Version: 2.6.6-6+deb7u1

I use the following rules so far:

/usr/share/modsecurity-crs/base_rules/

..and modsecurity.conf-recommended as modsecurity.conf

Thanks in advance. Cheers

EDIT:

I think I have found a workaround which solves the issue.

To exclude status 401 from being logged I changed the SecAuditLogRelevantStatus regex in modsecurity.conf from this:

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

to this:

SecAuditLogRelevantStatus "^(?:5|4\d[^41])"

I also made an additional change, not sure if it is that relevant, but I changed SecDefaultAction in modsecurity_crs_10_setup.conf from this:

SecDefaultAction "phase:2,deny,log"

to this:

SecDefaultAction "phase:2,deny,log,noauditlog"

After testing on a password protected url, I now get nothing in modsec_audit.log which is exactly what I wanted. I am not sure if there was a much much smarter way to do this, but this works. Any comments appreciated.

Improve this question

1 Answer 1

Reset to default
0

1) Ensure your whitelist rule bypasses on phase1 and is the highest among the highest rule in your rule set.

Here is an example rule:

SecRule REMOTE_ADDR "^111.222.333.444" phase:1,nolog,allow,ctl:ruleEngine=off

Notice it bypasses on phase 1 and does not continue on any further portion on the scanning process, it is set to allow, not to log at all and is not subject to the rule engine.

2) HTTP 401 is a two prong error code. Access to the URL resource requires user authentication 1) which has not yet been provided or 2) which has been provided but failed authorization tests. This is important for remedial action on intrusion attempts such as brute force logins.

3) Is the date from these logs really from Nov 2013? You may need to update your date/time on your device.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.