'Re: [mod-security-users] Crippled audit-logs (was: AW:'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] Crippled audit-logs (was: AW:
From:       Brian Rectanus <Brian.Rectanus () breach ! com>
Date:       2008-06-16 22:48:28
Message-ID: 4856EDBC.8010300 () breach ! com
[Download RAW message or body]

Hi Christian,

What version of libapr are you using?

If it must use a lock *file* (the default on Solaris is fnctl, which
uses a file), then it should create a randomized, temporary lock file
via mkstemp here:

/tmp/aprXXXXXX

Check permissions to make sure the process is capable of this.

Other than that, I think it is a Solaris issue when using the worker
MPM.  Best would be to avoid it by using concurrent logging.


-B


christian.folini@post.ch wrote:
> Oh, am I the only one to see this?
> 
> It's not very frequent, but it happens from time to time on my servers.
> 
> I'll provide you with a real world example (I can not provide the full
> logs, as they contain information, I may not reveal.
> The following is a washed except from a logfile. Filenames, IP Addresses
> and Hostnames have been cleaned):
> 
> Host: Solaris 10, Apache 2.2.8, ModSecurity 2.1.4
> 
> (-> Sorry if this problem has been a problem, that has been fixed in
> never releases. For the cause of a audit-log parser discussion, I think
> it is still good to be able to parse these crippled files too.)
> 
> As Christian B. points out correctly, I have not seen it without logging
> the Response Body.
> 
> 
> SecAuditLogParts        "ABCIFHZ"
> SecDebugLog               /logs/.../modsec_debug.log
> SecDebugLogLevel        0
> 
> SecAuditLogType Serial
> SecAuditLog /logs/.../modsec_audit.log
> 
> 
> Real-World example:
> 
> --000074a6-A--
> [29/May/2008:02:36:52 +0200] ucE0@qwfsQsAACtXyMcAAACD 192.168.1.10 1202
> 192.168.1.5 80
> --000074a6-B--
> HEAD /index.html HTTP/1.1
> Connection: Keep-Alive
> User-Agent: Mozilla/4.06 [en] (WinNT; I)
> Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg, image/png,
> */*
> Accept-Language: en
> Accept-Charset: iso-8859-1,*,utf-8
> Host: 192.168.1.5
> 
> --000074a6-F--
> HTTP/1.1 200 OK
> Set-Cookie: trksessid=192.168.1.10.1212021412542412; path=/;
> domain=.example.com
> Last-Modified: Wed, 28 May 2008 05:57:50 GMT
> ETag: "1cb0-5c-44e4417cd9cf6"
> Accept-Ranges: bytes
> --00000c6a-A--
> Content-Length: 92
> [29/May/2008:02:36:52 +0200] ucE1DqwfsQsAACpNTJ4AAAAK 192.168.1.11 4459
> 192.168.1.5 80Keep-Alive: timeout=10, max=46
> Connection: Keep-Alive
> 
> --00000c6a-B--
> Content-Type: text/html
> HEAD /index.html HTTP/1.1
> --000074a6-E--
> 
> <html>
> <head><title>www.example.com</title></head>
> <body>
> hostname: host01
> </body>
> </html>
> Connection: Keep-Alive
> 
> --000074a6-H--
> User-Agent: Mozilla/4.06 [en] (WinNT; I)
> Message: Warning. Pattern match "HTTP" at REQUEST_PROTOCOL.
> Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg, image/png,
> */*
> Accept-Language: en
> Stopwatch: 1212021412541690 1924 (704 715 1163)
> Accept-Charset: iso-8859-1,*,utf-8
> Response-Body-Transformed: Dechunked
> Host: 192.168.1.5
> Producer: ModSecurity v2.1.4 (Apache 2.x)
> 
> --00000c6a-F--
> Server: Apache
> HTTP/1.1 200 OK
> 
> --000074a6-Z--
> Set-Cookie: trksessid=192.168.1.11.1212021412542509; path=/;
> domain=.example.com
> 
> Last-Modified: Wed, 28 May 2008 05:57:50 GMT
> ETag: "1cb0-5c-44e4417cd9cf6"
> Accept-Ranges: bytes
> Content-Length: 92
> Keep-Alive: timeout=10, max=69
> Connection: Keep-Alive
> Content-Type: text/html
> 
> --00000c6a-E--
> <html>
> <head><title>www.example.com</title></head>
> <body>
> hostname: host01
> </body>
> </html>
> 
> --00000c6a-H--
> Message: Warning. Pattern match "HTTP" at REQUEST_PROTOCOL.
> Message: Audit log: Failed to lock global mutex: Deadlock situation
> detected/avoided
> Stopwatch: 1212021412541710 2309 (760 790 1228)
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity v2.1.4 (Apache 2.x)
> Server: Apache
> 
> --00000c6a-Z--
> 
> 
> 
> 
> This one looks rather crippled. Note the global mutex warning. Guess
> Christian B. hints in the right direction.
> 
> I know that the concurrent log format is there for a good reason.
> But concurrent logs are very hard to work with and I am still
> thinking about how I could introduce that format into our setup...
> 
> Regs,
> 
> Christian
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 


-- 
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic