regex for ModSecurity log detection is incomplete
Posted: 27 Aug 2012, 21:01
Hi, I have found a bug with the regex used to monitor apache error logs for modsecurity events.
As you have it now, it can only detect DENY events. It cannot however detect DROP events.
currently:
Except DROP events use the log line:
(the phase 1 is optional and can vary, but the rest remains the same for DROP)
So it's never matched and CSF never catches the event to block the IP at iptables level.
Thanks for all the brilliant work on CSF!
As you have it now, it can only detect DENY events. It cannot however detect DROP events.
currently:
Code: Select all
\[error\] \[client (\S+)\] mod_security: Access denied with code/))
\[error\] \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied with code/))
Code: Select all
[error] [client x.x.x.x] ModSecurity: Access denied with connection close (phase 1).So it's never matched and CSF never catches the event to block the IP at iptables level.
Thanks for all the brilliant work on CSF!