How to get mod_security to log all POST data

apache-2.2mod-security

I currently have a CentOS system that is successfully logging relevant mod_security actions to the audit log file. The following is my configuration:

<IfModule mod_security2.c>
  SecRuleEngine On
  SecAuditEngine RelevantOnly
  SecAuditLog /var/log/httpd/modsec_audit.log
  SecDebugLog /var/log/httpd/modsec_debug.log
  SecDebugLogLevel 0
  SecRequestBodyAccess On
  SecDataDir /tmp
  SecTmpDir /tmp
  SecPcreMatchLimit 250000
  SecPcreMatchLimitRecursion 250000
</IfModule>

This logs all actions where mod_security intercepts/blocks the request because of the SecAuditEngine RelevantOnly setting.

However, I would like it to additionally log all POST data that is submitted to the server (regardless of the status). I could achieve this by setting SecAuditEngine On but this logs all GET and POST data which is overkill. I would basically like to omit all GET data unless the request was intercepted.

Can anyone suggest how to do this?

Best Answer

Have a rule which turns on the AuditEngine for POST requests.

Something like this (untested):

SecRule REQUEST_METHOD "POST" "id:1000,phase:2,ctl:auditEngine=On,nolog,pass"

Ctl actions only affect the current request so afterwards it will reset back to RelevantOnly for the next request.

You can also create Sanitise rules to ensure sensitive data like passwords and credit card data is masked before logging. See here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseArg

Related Solutions

Apache Security – Dealing with HTTP w00tw00t Attacks

From your error log they are sending a HTTP/1.1 request without the Host: portion of the request. From what I read, Apache replies with a 400 (bad request) error to this request, before handing over to mod_security. So, it doesn't look like your rules will be processed. (Apache dealing with it before requiring to hand over to mod_security)

Try yourself:

telnet hostname 80
GET /blahblahblah.html HTTP/1.1  (enter)
(enter)

You should get the 400 error and see the same error in your logs. This is a bad request and apache is giving the correct answer.

Proper request should look like:

GET /blahblahblah.html HTTP/1.1
Host: blah.com

A work around for this issue could be to patch mod_uniqueid, to generate a unique ID even for a failed request, in order that apache passes the request on to its request handlers. The following URL is a discussion about this work around, and includes a patch for mod_uniqueid you could use: http://marc.info/?l=mod-security-users&m=123300133603876&w=2

Couldn't find any other solutions for it and wonder if a solution is actually required.

Why doesn’t the mod_security catch / log anything

Shame on me! I've put the mod-security config directives before (and not after) the:

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

so mod-security module was not loaded actually! Now that I placed the mod-security directives below them, mod-security is loaded and it logs to the relevant files. Problem solved.

Best Answer

Related Solutions

Apache Security – Dealing with HTTP w00tw00t Attacks

Why doesn’t the mod_security catch / log anything

Related Topic