-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modsecurity Audit Log Section A logging IP addresses in HEX #2300
Comments
Hi @inaratech, What are the versions of your ModSecurity and Nginx connector? |
nginx-1.17.9 |
Hello all, For information, I have the same problem on: I tried to install Apache server with modsecurity on the same server and there is no problem to get the real IP address. |
Yesterday i faced same problem. It wasn't hex ip. It was pointer address. line 1525 - audit_log << " " << this->m_clientIpAddress->c_str(); Regards. |
The bug is confirmed. The fix is really about get the value out of this pointer. We are currently working in something else that will present the fix for that issue as a side effect. Therefore I am leave it as is for now. Couple of days the new code will on v3/master. Thanks for the report. |
Hey fellows, has this bug been fixed officially? |
Hi. Same issue here. Specs: Ubuntu 20.04 LTS Tried Zavazingo's work around but got an error at compile time. Tried other things like reinterpret cast to change the string to a pointer but even after compiling doesn't seem to have effect. |
Hi, same issue, this are the versions:
|
Same issue. Is it fixed in the new version?
|
I'm using the most recent ModSecurity and the public IP addresses are still not showing up in the modsec_audit.log. It just shows a hex |
Hello @coledeihs , It's very unlikely that you are seeing this issue in the current version of ModSecurity. To confirm, I just checked this again with v3.0.6 and the address in audit log part A was in the expected ddd.dd.dd.ddd format. How have you confirmed that you have the "most recent ModSecurity"? |
I'm using : git clone https://github.com/SpiderLabs/ModSecurity.git |
This is what my section A (in the ModSecurity audit log) looks like in a recent test with v3.0.6:
If you are seeing hex output instead of expected IPv4 addresses in this location, then I cannot reproduce what you are seeing. If that is indeed the case, you would need to do some follow up on your own to identify what other conditions might be distinctive about your scenario. Perhaps use a packet capture. And what is the value of REMOTE_ADDR? E.g. :
|
updated ModSecurity to 3.0.6, still having the same issue. what version of NGINX are you using? I'm using NGINX 1.18.0 |
What does your main.conf look like for Modsec? |
Hi @coledeihs , You didn't mention if you tried what I suggested four days ago; the results of that investigation could have been useful. As of now, I'm afraid I cannot allocate more time to this. As some final suggestions if you want to investigate further on your own:
|
Hi,
Our modsecurity Audit log is logging section A in HEX i.e) SRC IP and DST IP are all in HEX. Tried searching for references to get this fixed but could not find anything therefore asking here.
A similar configuration on different server logs IP addresses correctly.
sample row as as follows
---zbDIkyKt---A--
[19/Apr/2020:13:50:48 +0900] 1587713388 0x562458815bb0 54952 0x562470244600 443
The text was updated successfully, but these errors were encountered: