New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecAuditLogParts "H" not being written in some cases #2000
Comments
@victorhora were you able to check deeper on this one? Let me know if I could help. |
Hey @defan, Going to have a look at it this week and let you know! :) |
Any progress? I also had problem with missing "H" log part. |
@victorhora @zimmerle any chance to address this one before 3.0.4? :) |
Hi @defanator, sorry the delay :( The problem seems to be that the conditions to push ruleMessage below is not met when only deny action is used: Then when the for loop to append m_rulesMessages to the audit_log string stream is called, the content of this std::list seems to be empty: I think that this commit changed the behaviour: 69cd614 |
We could fix with a condition to check if the "deny" action is present (or any disruptive action), but PR #2048 is up for evaluation. Let's see if the buildbots flag any issue :) |
Merged at: d4dc3db |
Describe the bug
Our friend @defanator have recently reported a strange behaviour where SecAuditLogParts "H" is not being written to the audit_log in some cases. Namely:
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"
SecRule ARGS:testparam "@contains test" "id:1234,block,log,status:403"
The difference being block action vs deny action.
Logs and dumps
To Reproduce
Steps to reproduce the behavior:
the above audit log is for 2 requests with such configuration:
SecRule ARGS:testparam "@contains deny" "id:1,deny,log,status:403"
SecRule ARGS:testparam "@contains block" "id:2,block,log,status:403"
Expected behavior
Part "H" should be written to the audit_logs regardless.
Server (please complete the following information):
Rule Set (please complete the following information):
Additional context
Pending to test the behaviour on v2;
Interesting fact is that the same message (which should be in section H) is going to nginx error log just fine, in both cases;
modifying SecDefaultAction doesn't help;
Also worth checking changing “block” to “pass” It could help us nailing down where the issue lies
For the reference: https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/transaction.cc#L1486-L1493
Another relevant piece of code: https://github.com/SpiderLabs/ModSecurity/blob/1ecd9713061c3534626bf6a5f59d1c928c0c52bb/src/rule.cc#L805-L822
H is generated over an iteration on rule msg. If not pushed to this array it won't make to the audits
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
Getting the same parts in audit log, while "block" now leads to 403
The text was updated successfully, but these errors were encountered: