PREVIOUS web.apache

NEXT web.iis

web.apache.mod-security

The logs generated by WAF (Web Application Firewall)  ModSecurity for Apache are labeled with the   web.apache.mod-security.environment.application.clon tag.

Tag structure

The elements environmentapplication and clon are free, but mandatory. They can take the value chosen by the user to identify the event source and they must always be used. The name of each of these elements reflects the intended use: 

  • environment: the environment where the event occurs (development, testing, production, etc.). The number and name of the environments is not fixed by Devo, since there may be a lot of variation between facilities.
  • application: the web application name
  • clon: the name of the Apache instance that caused the event. Depending on the customer, it might be a machine name, the virtual name of an Apache process, etc.

 Type of logs

 ModSecurity can generate the following logs:

  • Apache error log - it summarizes the possible attacks detected. 
  • Apache custom log - an Apache proprietary log to record the ModSecurity logs, using the header %{mod_security-message}i, if the request contains a mod_security-relevant environment variable.
  • Serial log type - a unique ModSecurity log where the generated alerts are registered in detail.  
  • Concurrent log type - a ModSecurity specific log that generates a unique file for each alert. It offers a better performance than the Serial log.

Example of Apache logs

  • Example 1 - ModSecurity event in the Apache error log

    [Thu Jan  17  22 : 21 : 02  2013 ] [error] [client  1.2 . 3.4 ] ModSecurity: Warning. Pattern match  "\\\\/etc\\\\/"  at ARGS:current_language. [file "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" ] [line  "221" ] [id  "958700" ] [rev  "2.2.7" ] [msg  "Remote File Access Attempt" ] [data  "/etc/" ] [severity  "CRITICAL" ] [tag  "WEB_ATTACK/FILE_INJECTION" ] [tag  "WASCTC/WASC-33" ] [tag  "OWASP_TOP_10/A4" ] [tag "PCI/6.5.4" ] [hostname  "5.6.7.8" ] [uri  "/vtigercrm/graph.php" ] [unique_id  "UPh5Tn8AAAEAABebcoUAAAEH" ]
  • Example 2 - Configuration of Apache Custom log

    CustomLog logs/modsec_custom_log \
    "%h %l %u %t \"%r\" %>s %b %{mod_security-message}i"  \
    env=mod_security-relevant
  • Example 3 - ModSecurity detailed event of a specific log

    --47e91e76-A--
    [ 17 /Jan/ 2013 : 22 : 21 : 02  + 0000 ] UPh5Tn8AAAEAABebcoUAAAEH  1.2 . 3.4  10155  5.6 . 7.8  80
    --47e91e76-B--
    GET /vtigercrm/graph.php?current_language=../../../../../../../.. //etc/elastix.conf%00&module=Accounts&action HTTP/1.1
    host:  5.6 . 7.8
    Accept: */*
    Cache-Control: no-cache
    User-Agent: Mozilla/ 5.0  (Windows; U; Windows NT  5.1 ; de; rv: 1.9 ) Gecko/ 2008052906  Firefox/ 3.0
    Connection: keep-alive
    --47e91e76-F--
    HTTP/ 1.1  404  Not Found
    Keep-Alive: timeout= 5 , max= 97
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: application/x-httpd-php
    --47e91e76-E--
    --47e91e76-H--
    Message: Warning. Found  1  byte (s) in ARGS:current_language outside range:  1 - 255 . [file  "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf" ] [line  "333" ] [id  "960901" ] [rev  "2.2.7" ] [msg  "Invalid character in request" ] [severity  "WARNING" ] [tag  "PROTOCOL_VIOLATION/EVASION" ] [tag  "WASCTC/WASC-28" ] [tag  "OWASP_TOP_10/A1" ] [tag  "OWASP_AppSensor/CIE3" ] [tag "PCI/6.5.2" ] [tag  "http://i-technica.com/whitestuff/asciichart.html" ]
    Message: Warning. Pattern match  "^[\\d.:]+$"  at REQUEST_HEADERS:host. [file  "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf" ] [line  "98" ] [id  "960017" ] [rev  "2.2.7" ] [msg  "Host header is a numeric IP address" ] [severity  "CRITICAL" ] [tag  "PROTOCOL_VIOLATION/IP_HOST" ] [tag  "WASCTC/WASC-21" ] [tag  "OWASP_TOP_10/A7" ] [tag  "PCI/6.5.10" ] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx" ]
    Message: Warning. Pattern match  "\\/etc\\/"  at ARGS:current_language. [file  "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" ] [line  "221" ] [id  "958700" ] [rev  "2.2.7" ] [msg  "Remote File Access Attempt" ] [data "/etc/" ] [severity  "CRITICAL" ] [tag  "WEB_ATTACK/FILE_INJECTION" ] [tag  "WASCTC/WASC-33" ] [tag  "OWASP_TOP_10/A4" ] [tag  "PCI/6.5.4" ]
    Message: Warning. Operator GE matched  5  at TX:inbound_anomaly_score. [file  "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf" ] [line  "37" ] [id  "981204" ] [msg  "Inbound Anomaly Score Exceeded (Total Inbound Score: 9, SQLi=, XSS=): Remote File Access Attempt" ]
    Apache-Handler: jakarta-servlet
    Stopwatch:  1358461262933933  9604  (- - -)
    Stopwatch2:  1358461262933933  9604 ; combined= 7376 , p1= 406 , p2= 6695 , p3= 3 , p4= 122 , p5= 149 , sr= 114 , sw= 1 , l= 0 , gc= 0
    Response-Body-Transformed: Dechunked
    Producer: ModSecurity  for  Apache/ 2.7 . 0  (http: //www.modsecurity.org/); core ruleset/2.2.7.
    Server: Apache
    --47e91e76-Z--

    Check  here for additional information about the ModSecurity log.

Apache Configuration

First you have to check if the audit log generation in the Apache configuration or the ModSecurity configuration file (e.g. /etc/modsecurity/modsecurity.conf) is active and setup as Serial.

ModSecurity audit log configuration

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

Here you can find additional information on the audit log configuration options. 

Rsyslog Configuration

The following configuration file for rsyslog it is used:

/etc/rsyslog.d/45-modsecurity.conf file

$template modsecurity,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"
# File access
$InputFileName /var/log/apache2/modsec_audit.log
$InputFileTag web.apache.mod-security.pro.myapp.www1: 
$InputFileStateFile stat-file1-ModSecurityAudit
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
 
 
# SSL config for logtrust secure relay
#$DefaultNetstreamDriver gtls # use gtls netstream driver
#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key
#$ActionSendStreamDriverMode 1 # require TLS for the connection
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer collector
 
if $syslogtag contains 'web.apache.mod-security' and $syslogfacility-text == 'local7' then @@LOGTRUST-RELAY:PORT;modsecurity
:syslogtag, contains, "web.apache.mod-security" ~
  • Replace LOGTRUST-RELAY and PORT with the server and the port of your Devo In-house Relay. 
  • If you send the data to a secure relay, please uncomment the SSL section of the configuration file.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US

PREVIOUS web.apache

NEXT web.iis