regex for ModSecurity log detection is incomplete

Post Reply
aww+
Junior Member
Posts: 105
Joined: 27 Aug 2012, 20:53

regex for ModSecurity log detection is incomplete

Post by aww+ »

Hi, I have found a bug with the regex used to monitor apache error logs for modsecurity events.

As you have it now, it can only detect DENY events. It cannot however detect DROP events.

currently:

Code: Select all

\[error\] \[client (\S+)\] mod_security: Access denied with code/)) 
\[error\] \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied with code/)) 
Except DROP events use the log line:

Code: Select all

[error] [client x.x.x.x] ModSecurity: Access denied with connection close (phase 1).
(the phase 1 is optional and can vary, but the rest remains the same for DROP)

So it's never matched and CSF never catches the event to block the IP at iptables level.

Thanks for all the brilliant work on CSF!

chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: regex for ModSecurity log detection is incomplete

Post by chirpy »

We'll add this in the next release. Thank you for reporting it.

Post Reply