-
-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
missing hostname in logs #517
Conversation
It does look like modsecurity sets that badly-named "hostname" variable to an IP address: https://github.com/SpiderLabs/ModSecurity/blob/4127c1bf52d2b30a5c2c3e641b8085fd9a720f43/src/rule_message.cc#L45 Now that I think of it, I normally find out the real hostname by looking at the modsecurity audit logs which includes the full HTTP request that triggered the rule. Doesn't seem like that kind of audit logging exists in Coraza yet, so I do like the idea of an extra section in the existing logs in the meantime. I'm not too worried about sanitization since Coraza is designed to log attack attempts anyway. |
@mac-chaffee Depends on the tool you are using to look at logs. I would say we should sanitize it before sending it out to a filesystem/tool. More information here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that resolveIP
was meant to get the actual name from the ServerIPAddress(). I don't know if we want to do an extra name resolution before logging, but if someone needs it we might use a config parameter like HostnameLookups Off
from Apache.
So the quick solution is to use the ServerIPAddress
as this PR proposes for the resolveIP (probably adding a comment also), and in the future we can add configurable reverse resolution if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can merge this one and create a follow up ticket.
Codecov ReportBase: 78.44% // Head: 78.43% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## v3/dev #517 +/- ##
==========================================
- Coverage 78.44% 78.43% -0.01%
==========================================
Files 145 145
Lines 6981 6980 -1
==========================================
- Hits 5476 5475 -1
Misses 1274 1274
Partials 231 231
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
FYI, related conversation ModSecurity side: owasp-modsecurity/ModSecurity#2906 |
Hi there,
taking a look at #515, indeed
resolvedIP
variable is never populated.To my eyes seems that the right value could be the
ServerIPAddress
, populated at the beginning of the transaction, whenProcessConnection
is called:coraza/internal/corazawaf/transaction.go
Line 638 in bffb435
Still, taking a look at the connector, this fix would just populate the field with the IP and may not be useful for @mac-chaffee usecase.
If it sounds reasonable I can, as proposed, catch the
Host
header adding it to a newtx.variables
, but I'm wondering about sanitizing the retrieved value 🤔.Attempt to close #515.