Modsecurity Audit Log Section A logging IP addresses in HEX

[inaratech]

Hi,
Our modsecurity Audit log is logging section A in HEX i.e) SRC IP and DST IP are all in HEX. Tried searching for references to get this fixed but could not find anything therefore asking here.
A similar configuration on different server logs IP addresses correctly.
sample row as as follows
---zbDIkyKt---A--
[19/Apr/2020:13:50:48 +0900] 1587713388 0x562458815bb0 54952 0x562470244600 443

[zimmerle]

Hi @inaratech,

What are the versions of your ModSecurity and Nginx connector?

[inaratech]

nginx-1.17.9
Modsecurity_nginx connector v1.0.1 - 2019-Dec-16
Modsecurity v3.0.4 - 2020-Jan-13

[phil47]

Hello all,

For information, I have the same problem on:
Ubuntu 18.04.4 LTS
nginx/1.17.10 from nginx repository
Modsecurity-nginx v1.0.1 - 2019-Dec-16
Modsecurity v3.0.4 - 2020-Jan-13

I tried to install Apache server with modsecurity on the same server and there is no problem to get the real IP address.

[zavazingo]

Yesterday i faced same problem. It wasn't hex ip. It was pointer address.
Here are the quick fix. At ModSecurity/src/transaction.cc change lines like below;

line 1525 - audit_log << " " << this->m_clientIpAddress->c_str();
line 1527 - audit_log << " " << m_serverIpAddress->c_str();

Regards.

[zimmerle]

The bug is confirmed. The fix is really about get the value out of this pointer. We are currently working in something else that will present the fix for that issue as a side effect. Therefore I am leave it as is for now. Couple of days the new code will on v3/master. Thanks for the report.

[ghost]

Hey fellows, has this bug been fixed officially?
Just had this issue and ended up here on this thread :)
Thanks much!
Andre.

[5472-1]

Hi. Same issue here.

Specs:

Ubuntu 20.04 LTS
Modsecurity v3.0.4 - 2020-Jan-13
Apache/2.4.41 (Ubuntu) 2020-04-13
ModSecurity-apache connector v0.0.9-beta1 - 2017-Dec-22

Tried Zavazingo's work around but got an error at compile time. Tried other things like reinterpret cast to change the string to a pointer but even after compiling doesn't seem to have effect.
Edit: Also destination port seems to always be 0.
Tried Zavazingo's work around again. Now all good. And the port issue had to do with Apache's configuration.

[altmas5]

Hi, same issue, this are the versions:

ModSecurity-nginx Connector shows v1.0.x - YYYY-MMM-DD (To be released)
modsecurity-crs 3.0.2-1
nginx version: nginx/1.14.0
Ubuntu 18.04.4 LTS

[hazardousmonk]

Same issue. Is it fixed in the new version?

ModSecurity-Nginx Connectior v1.0.1
Nginx 1.18.0
Debian 10

[coledeihs]

I'm using the most recent ModSecurity and the public IP addresses are still not showing up in the modsec_audit.log. It just shows a hex

[martinhsv]

Hello @coledeihs ,

It's very unlikely that you are seeing this issue in the current version of ModSecurity.

To confirm, I just checked this again with v3.0.6 and the address in audit log part A was in the expected ddd.dd.dd.ddd format.

How have you confirmed that you have the "most recent ModSecurity"?

[coledeihs]

I'm using : git clone https://github.com/SpiderLabs/ModSecurity.git
and the modsecuirty connector for NGINX: git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
and: nginx version: nginx/1.18.0

[martinhsv]

@coledeihs ,

This is what my section A (in the ModSecurity audit log) looks like in a recent test with v3.0.6:

---scDx0BQ3---A--
[05/Jan/2022:06:11:27 -0800] 1641391887 192.168.254.167 53510 192.168.254.169 80

If you are seeing hex output instead of expected IPv4 addresses in this location, then I cannot reproduce what you are seeing.

If that is indeed the case, you would need to do some follow up on your own to identify what other conditions might be distinctive about your scenario. Perhaps use a packet capture. And what is the value of REMOTE_ADDR? E.g. :

SecAction  "id:3004,phase:1,log,pass,msg:'remote addr =%{REMOTE_ADDR}'"

[coledeihs]

updated ModSecurity to 3.0.6, still having the same issue.

what version of NGINX are you using? I'm using NGINX 1.18.0

[coledeihs]

What does your main.conf look like for Modsec?

[martinhsv]

Hi @coledeihs ,

You didn't mention if you tried what I suggested four days ago; the results of that investigation could have been useful. As of now, I'm afraid I cannot allocate more time to this.

As some final suggestions if you want to investigate further on your own:

1. confirm that you are using the updated code
   a) since you are downloading from git, check that the actual lines of code correcting this error (check the related pull request) are present before you do the build
   b) double check that you didn't accidentally omit a critical step like 'make install' or restarting nginx
2. Try the suggestions from four days ago
3. If (2) doesn't illuminate anything, try a standard install without any special settings or addons. Do you still always see the same thing? If not, try to identify what is different from environment where you do experience it.