LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@Diavolo

【mod_security】mod_securityのログファイル(modsec_audit.log)の解析 その2

Posted at

はじめに

mod_securityの自己学習をしています。mod_securityのログファイルを解析してみます。
前回記事の続きになりますが、mod_security監査ログのHセクションについて解析をしてみます。

解析する監査ログは以下です。

--eddafe7b-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\2\\b|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not ..." at ARGS:value. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data:  'a'='a found within ARGS:value: 1' or 'a'='a"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 6A.1BC.1DE.2FG] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:([\\\\\\\\s'\\\\"`\\\\xc2\\\\xb4\\\\xe2\\\\x80\\\\x99\\\\xe2\\\\x80\\\\x98\\\\\\\\(\\\\\\\\)]*?)\\\\\\\\b([\\\\\\\\d\\\\\\\\w]++)([\\\\\\\\s'\\\\"`\\\\xc2\\\\xb4\\\\xe2\\\\x80\\\\x99\\\\xe2\\\\x80\\\\x98\\\\\\\\(\\\\\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\\\\\s+like|regexp)([\\\\\\\\s'\\\\"`\\\\xc2\\\\xb4\\\\xe2\\\\x80\\\\x99\\\\xe2\\\\x80\\\\x98\\\\\\\\(\\\\\\\\)]*?)\\\\\\\\2\\\\\\\\b|(?:!=|<=|>=|<>|<|>|\\\\\\\\^|is\\\\\\\\s+not ..." at ARGS:value. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data:  'a'='a found within ARGS:value: 1' or 'a'='a"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "5A.9B.2C.1DE"] [uri "/"] [unique_id "YfvCE7Yy7OCFRLMWFtNyCwAAAAM"]
Action: Intercepted (phase 2)
Stopwatch: 1643889171139933 687 (- - -)
Stopwatch2: 1643889171139933 687; combined=292, p1=202, p2=86, p3=0, p4=0, p5=3, sr=115, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.52 ()
Engine-Mode: "ENABLED"

パラメータ(項目)の説明

項目名 説明 備考
Message xxxxxx yyyyy
Apache-Error xxxxx yyyyy
Action xxxxx yyyyy
Stopwatch xxxxx yyyyy
Stopwatch2 xxxxx yyyyy
Producer xxxxx yyyyy
Server xxxxx yyyyy
Engine-Mode xxxxx yyyyy

↑編集中です。

おわりに

では、また。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?