[Owasp-modsecurity-core-rule-set] No rule-id in audit/error log with Nginx und MS3/CRS3

Christian Folini christian.folini at netnea.com
Thu Nov 24 15:59:36 UTC 2016


On Thu, Nov 24, 2016 at 04:41:49PM +0100, Muenz, Michael wrote:
> Did you reply to the list or PN? :)

Maybe I made a mistake. The idea was to respond via the list.
Doing that now.

> I'm not quite sure if it's nginx itself, I'm a bit new to it.
> 
> This is the auditlog:
> 
> ---CMTQD8zC---A--
> [24/Nov/2016:16:39:45 +0100] 148000198565.715452 XXX
> ---CMTQD8zC---B--
> GET /?s=../../../../etc/passwd HTTP/1.1
> REQUEST_HEADERS:Host: XXX
> REQUEST_HEADERS:Connection: keep-alive
> REQUEST_HEADERS:Upgrade-Insecure-Requests: 1
> REQUEST_HEADERS:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64;
> x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99
> Safari/537.36
> REQUEST_HEADERS:Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> REQUEST_HEADERS:Accept-Encoding: gzip, deflate, sdch
> REQUEST_HEADERS:Accept-Language:
> de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4,fr;q=0.2
> ---CMTQD8zC---D--
> ---CMTQD8zC---E--
> ---CMTQD8zC---F--
> RESPONSE_HEADERS:Server: nginx/1.11.5
> RESPONSE_HEADERS:Date: Thu, 24 Nov 2016 15:39:45 GMT
> RESPONSE_HEADERS:Content-Length: 571
> RESPONSE_HEADERS:Content-Type: text/html
> RESPONSE_HEADERS:Connection: keep-alive
> ---CMTQD8zC---H--
> ---CMTQD8zC---I--
> ---CMTQD8zC---J--
> ---CMTQD8zC---Z--

The interesting bit, the H part is empty.

That is very odd. What is your SecAuditLogParts setting?

Maybe you remove it for a test so it reverts to the default which should
bring you the H audit log part.

Ahoj,

Christian


-- 
No man is more unhappy than he who never faces adversity. 
For he is not permitted to prove himself.
-- Seneca


More information about the Owasp-modsecurity-core-rule-set mailing list