1

I am running the latest version of Modsecurity on Ubuntu 18.04 and I'm having an odd problem that I cannot find through searching.

The problem is that certain visitors to my server are posting the entire contents of web pages to the log. The posts are usually GET and Content Length is often 14818 or longer.

Obviously, this makes the logs MUCh larger, but more importantly, hinders the security by bogging it down while analyzing so much content.

The log is far to large to post here so I've only posted the top header lines. The Content starts in the "--03dd7202-E--" section below and goes on for another 350 lines or so. It's the full content of the index.html file in the root of the domain directory. The connection appears to be of Russian origin so does that mean anything?

I don't see how this is an acceptable behavior? I do not see this content in the apache2 logs, only in the Modsec_audit.log

Hopefully someone has herd of this problem and can suggest a direction to look without the entire log itself. It's over 400 lines long. Too much to post here.

Note: This is not about uploading files of any sort. This is about the fact that I'm getting the content of web pages (on my server) in the modesecurity log.

Thanks

--03dd7202-A--
[03/Mar/2019:18:20:30 --0500] XHnhBvbr4wow5A1f3YZxVmAAAAU 46.118.156.122 34262 192.168.4.12 80
--03dd7202-B--
GET / HTTP/1.1
Referer: https://mamylik.ru/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727)
Host: MySampleDomain.com

--03dd7202-F--
HTTP/1.1 200 OK
Set-Cookie: phpbb3_t6uai_u=1; expires=Mon, 02-Mar-2020 23:20:30 GMT; path=/; domain=MySampleDomain.com; secure; HttpOnly
Set-Cookie: phpbb3_t6uai_k=; expires=Mon, 02-Mar-2020 23:20:30 GMT; path=/; domain=MySampleDomain.com; secure; HttpOnly
Set-Cookie: phpbb3_t6uai_sid=b5b4cde34n4520cac0f57bb30657e4b9; expires=Mon, 02-Mar-2020 23:20:30 GMT; path=/; domain=MySampleDomain.com; secure; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: Sun, 03 Mar 2019 23:20:30 GMT
Vary: Accept-Encoding
Content-Length: 14818
Content-Type: text/html; charset=UTF-8

--03dd7202-E--
<!DOCTYPE html>
<html dir="ltr" lang="en-gb">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />

<title>MySampleDomain.com - Index page</title>




    <link rel="alternate" type="application/atom+xml" title="Feed - MySampleDomain.com" href="/app.php/feed?sid=b5b4cde34n4520cac0f57bb30657e4b9">          <link rel="alternate" type="application/atom+xml" title="Feed - New Topics" href="/app.php/feed/topics?sid=b5b4cde34n4520cac0f57bb30657e4b9">               


<link href="./assets/css/font-awesome.min.css?assets_version=2" rel="stylesheet">
<link href="./styles/elegance_3.2.5/theme/stylesheet.css?assets_version=2" rel="stylesheet">
User6655
  • 11
  • 5

1 Answers1

2

https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html

It is a little-known fact that I originally started to work on ModSecurity because I was frustrated with not being able to log full HTTP transaction data. The audit log, which does just that, was one of the first features implemented.

Remove the E ("Response body") parameter from SecAuditLogParts. See the "Table 4.4. Audit log parts" section for all possible parameters and just log the ones you want.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
  • This comes up, incidentally, via a Google search for "mod_security http responses in log file", if you're curious about the right search terms to have been using. – ceejayoz Mar 04 '19 at 02:48
  • 1
    Thanks so much. I failed Google 101. I tried numerous searches and even searched the modsecurity site but found nothing like you posted. Now I need to figure out how seeing the source of webpages in the audit log is helpful? Seems a tremendous waste of resources and can bog the security system down. Just the same, your help is appreciated. Just what I was looking for. I upvoted your reply and will mark it as the accepted answer. – User6655 Mar 04 '19 at 14:35
  • @User6655 Sometimes the malicious payload is in the request body, so having it would be helpful to see what was being attempted. – ceejayoz Mar 04 '19 at 19:22
  • 1
    It’s off by default for the very reasons you give. But it may be useful to turn on temporarily if you block based on responses to prevent information leakage but you want to see that response. The Audit Log should only log failures (SecAuditEngine RelevantOnly) which should be blocked in which case I would expect the responses to be small (basically a 403 without content). If you are logging all responses, or are using anomaly detection blocking, then yes this will get very noisy if changed from the default to log this. – Barry Pollard Mar 09 '19 at 08:11