Exclude sensitive data from modsecurity log

Question

I'm setting up Modsecurity, and I have noticed that some sensitive data (credit card numbers) ends up in the log. How should I prevent this? Preferably I would want it logged, but with the sensitive data mangled.

Example of a sensitive line in access.log

id_offer=28&ch_name=%27+or+1%3D1&ch_address1=Korvstolsv%E4gen+2&ch_address2=&ch_zip=756+48&ch_city=STOCKHOLM&ch_email=aslask%40test.net&ch_phone=018-9999999&cardno=1234456712342345&cvc=123&expire_month=--&expire_year=--&send=Avbryt

Maybe it could be like this instead? (Scroll to right. The sensitive fields are cardno and cvs.)

id_offer=28&ch_name=%27+or+1%3D1&ch_address1=Korvstolsv%E4gen+2&ch_address2=&ch_zip=756+48&ch_city=STOCKHOLM&ch_email=aslask%40test.net&ch_phone=018-9999999&cardno=manglemanglemangle&cvc=xxx&expire_month=--&expire_year=--&send=Avbryt

An alternative would be to completely remove that part if it contains sensitive data.

Because of a comment that I should use POST instead of GET, this was a POST.

--36b1f462-A--
[30/May/2017:19:06:55 +0200] WS2mrwpABwsAACy1A9wAAAAG 185.624.636.40 61597 610.64.66.8 445
--36b1f462-B--
POST /wb/e/check.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
Referer: https://example.com/wb/e/auth.php
Connection: keep-alive
Upgrade-Insecure-Requests: 1
--36b1f462-C--
id_offer=28&ch_name=%27+or+1%3D1&ch_address1=Korvstolsv%E4gen+2&ch_address2=&ch_zip=756+48&ch_city=STOCKHOLM&ch_email=aslask%40test.net&ch_phone=018-9999999&cardno=1234456712342345&cvc=123&expire_month=--&expire_year=--&send=Avbryt

Your application should be redesigned to use POST instead of GET for these queries. — EEAA, May 31 '17 at 13:07
I know, but that's a major task and outside my responsibility and authority. — klutt, May 31 '17 at 13:10
Answer to https://serverfault.com/questions/728575/what-rule-can-i-use-in-modsecurity-to-log-post-payload-for-a-specific-site has pointer to modsecurity's `sanitise` functionality which sounds like what you need. Have you tried that? More details at https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseArg — Paul Haldane, May 31 '17 at 14:55

score 1 · Accepted Answer · answered May 31 '17 at 17:26

1

Have a deeper look at this: https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html "Remove Sensitive data from Audit Logs".

In your case should be:

SecRule ARGS "@verifyCC \d{13,16}" "phase:5,nolog,pass,\
sanitiseMatched"

answered May 31 '17 at 17:26

Marco

1,679
3
17
31

Worked like a charm. I just had to figure out why it fired on some numbers but not on others, and then I realized that I needed to use rx instead of verfiyCC – klutt Jun 01 '17 at 20:33

Exclude sensitive data from modsecurity log

1 Answers1