ModSecurity on Apache (Debian Wheezy), Authentication logging

Question

I am new to ModSecurity, it works great on the server, but I would like to control the way it logs things. For example as I am troubleshooting my website in order to whitelist or correct php coding problems so that I can have a clean modsec_audit.log when everything is working properly, I came across the following.

Whenever I request a url that is password protected either by basic or htdigest authentication ModSecurity logs this in modsec_audit.log as follows:

htdigest Authentication:

--838e7b1b-A--
[17/Nov/2013:19:13:51 +0200] Uoj5T8CoAWQAABfMVE0AAAAA xxx.xxx.xxx.xxx XXXXX xxx.xxx.xxx.xxx XXXXX
--838e7b1b-B--
GET / HTTP/1.1
Host: XXX.XXX.com:XXXX
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

--838e7b1b-F--
HTTP/1.1 401 Authorization Required
WWW-Authenticate: Digest realm="Members Only", nonce="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", algorithm=MD5, qop="auth"
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 290
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--838e7b1b-H--
Stopwatch: 1384708431494144 2002 (- - -)
Stopwatch2: 1384708431494144 2002; combined=32, p1=0, p2=0, p3=0, p4=0, p5=32, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache

--838e7b1b-Z--

or

basic Authentication:

--b8248f7a-A--
[17/Nov/2013:19:28:11 +0200] Uoj8q8CoAWQAABgxs7kAAAAM xxx.xxx.xxx.xxx XXXXX xxx.xxx.xxx.xxx XXXXX
--b8248f7a-B--
GET / HTTP/1.1
Host: XXX.XXX.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Connection: keep-alive

--b8248f7a-F--
HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm="Members Only"
Content-Encoding: gzip
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, private, no-transform, must-revalidate, proxy-revalidate, post-check=300, pre-check=300, max-age=300
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

--b8248f7a-H--
Apache-Handler: x-httpd-suphp
Stopwatch: 1384709291811105 152463 (- - -)
Stopwatch2: 1384709291811105 152463; combined=54, p1=0, p2=0, p3=0, p4=0, p5=54, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache

--b8248f7a-Z--

The above logging takes place right after the request, I am not showing what happens on a failed password or a successful one at all.

My question is if there is any way to stop it from logging this. I tried to whitelist my IP but it had no result. I am not sure if it is a good idea to stop it from logging such a thing or not, but I think it will just flood the /var/log/apache2/modsec_audit.log with such information every time "I" even request a password protected url.

Some more info about my server:

# apt-cache show libapache-mod-security | grep Version
Version: 2.6.6-6+deb7u1

I use the following rules so far:

/usr/share/modsecurity-crs/base_rules/

..and modsecurity.conf-recommended as modsecurity.conf

Thanks in advance. Cheers

EDIT:

I think I have found a workaround which solves the issue.

To exclude status 401 from being logged I changed the SecAuditLogRelevantStatus regex in modsecurity.conf from this:

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

to this:

SecAuditLogRelevantStatus "^(?:5|4\d[^41])"

I also made an additional change, not sure if it is that relevant, but I changed SecDefaultAction in modsecurity_crs_10_setup.conf from this:

SecDefaultAction "phase:2,deny,log"

to this:

SecDefaultAction "phase:2,deny,log,noauditlog"

After testing on a password protected url, I now get nothing in modsec_audit.log which is exactly what I wanted. I am not sure if there was a much much smarter way to do this, but this works. Any comments appreciated.

Answer 1

1) Ensure your whitelist rule bypasses on phase1 and is the highest among the highest rule in your rule set.

Here is an example rule:

SecRule REMOTE_ADDR "^111.222.333.444" phase:1,nolog,allow,ctl:ruleEngine=off

Notice it bypasses on phase 1 and does not continue on any further portion on the scanning process, it is set to allow, not to log at all and is not subject to the rule engine.

2) HTTP 401 is a two prong error code. Access to the URL resource requires user authentication 1) which has not yet been provided or 2) which has been provided but failed authorization tests. This is important for remedial action on intrusion attempts such as brute force logins.

3) Is the date from these logs really from Nov 2013? You may need to update your date/time on your device.