[Owasp-modsecurity-core-rule-set] Duplicate SecAuditLogParts?

Joshua Roback jroback at gmail.com
Mon Jul 13 18:43:01 UTC 2015

Good afternoon group,

I've come across an issue in which at times some of the SecAuditLogParts
are duplicate in my audit.log.  For example:

*--05761b09-C-- Here is some request body data -- --05761b09-C-- *

*alendar-set.js"></scrip<html> <head> <META HTTP-EQUIV="Content-Type"
Co▒WL<@ZL<PMOCcripXL<`ZL<EWOLpt1.2"> <!-- String.prototype.endsWith =
function(str) --*

Typically the 2nd C field contains improperly encoded characters as well.
Is this expected behavior?  Under what circumstances would this behavior
present itself?

Running ModSecurity for Apache V2.9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150713/f06c2ed6/attachment.html>

More information about the Owasp-modsecurity-core-rule-set mailing list