-
-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
REQUEST-949: Increase msg verbosity of rule 949110 #1924
Conversation
@pmjdebruijn : Thank you for this contribution. You are basically repeating the information in 980130. While I personally do not like 980130, your PR creates redundancy and I wonder if that is what you really intend and if so why. |
I've made this change to be able to troubleshoot an issue we were having... It seems 980130 didn't get triggered for us... Presumably because 980130 evaluates TX.INBOUND_ANOMALY_SCORE while my change evaluates TX.ANOMALY_SCORE |
That's very odd, since the former is defined in 949110 based on the latter. This means if 949110 triggers, 980130 triggers too. I plan to overhaul this whole anomaly score logging, but that's the way it is meant to run right now and you introduce redundancy and if it's only in order to get this info, then the PR does not really add value since the info is already there. If you consistently do not get 980130, then we're open to investigate this with you, since it might be a bug. If I do a vanilla installation and the following curl call, then I get 949110 and 980130.
error.log:
I'm closing this for the time being. |
While I can reproduce your example case, for us this wasn't true for a false positive flagged via libinjection |
Can you provide a onedrive-example call (ideally curl) so I can check this out, please. I do not get a FP with this. I'm interested in learning about this. But it does not matter how what triggers the score. The deciding factor on 980130 is whether the request hit the anomaly score limit or not (in 949110). |
curl --insecure --verbose https://MYHOST/?url=https://whatever.com/onedrive.aspx?id=test Triggers the issue, however, it seems, proper logging does happen to modsecurity.log. Now I've noticed this in a test setup, where I cleared all logs before reproducing, so I'm guessing I must have missed this in our production situation due to modsecurity.log being a multiline format, which is much harder to grep/read through reliably. So I still think there is still some value in including slightly more information in error.log which is much easier to grep/parse. |
I confirm the libinjection false positive for this one. Here are my logs, including 980130.
You are right, that the logging is tricky to read correctly, namely when you work with the audit log. And I think this also explains why you did not notice your initial 980130 entry. One key to successful logging is usually to filter by the unique-ID which has the last position in the alert message that is written to the error.log. My tutorials at netnea.com advocate to write this unique-ID to the access.log as well. If you want to be a good web citizen, you could open a false positive report over at libinjection. But I have to admit, the bugs are piling up and development is not going anywhere. But at least it would be documented. |
As I already mentioned, it was already reported: client9/libinjection#151 I polished up that code, and created a proper pull request: client9/libinjection#153 |
Ah, sorry. I'm juggling too many issues in parallel here. Thank you for your work and submitting a PR. Now if only libinjection would return from the dead. |
It seems it's been resurrected by the libmodsec folks: |
We'll see if that gets any traction. |
No description provided.