Hi Phil, you can enable the "K" section in the auditlog parts which are logged, using the SecAuditLogParts directive (please refer to documentation for more details: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecAuditLogParts )
If this still doesn't help you, try to enable the debug with the 4 level, using the directives SecDebugLog and SecDebugLevel. Since the debug task generates a lot of rows in the log file, I usually selectively enable it in a rule with the ctl action. In your case it may be something like this: SecRule REQUEST_URI "/transmission/rpc" "phase:1,id:999999,ctl:debugLogLevel=+4,nolog,noauditlog" When you enable debug and send a request, you will find in the debug log lines like this one: [09/Feb/2014:10:10:03 +0000] [hostname/sid#15cfa68][rid#21ff7e0][*][4] Recipe: Invoking rule 1b8be28; [file "/usr/local/modsecurity/rules/current/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"]. Analyzing this file you can find which rule matches and in what file they are. Anyway, you can also find useful this old Ryan Barnett's post http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html Have a nice day Paolo > Message: 1 > Date: Wed, 29 Jan 2014 11:48:34 +0000 > From: Phill Watkins <phill.watk...@gmail.com> > To: OWASP CRS Mailing List > <owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: [Owasp-modsecurity-core-rule-set] Rule without an ID > Message-ID: > < > caonsccvcsklpo-gbu5dfynubuh9fems-wrxhhxtd7dqba4n...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > I'm having difficulty discovering which rule is causing a false positive > because it doesn't display an ID in the message. > > To give a bit of background, I'm accessing the Transmission BitTorrent web > client via a reverse proxy. > > Yesterday I decided to replace the aging interface with a better one > (Shift). In doing so I've had to disable a number of rules related to SQL > injection which is being caused by the web interface requesting/sending > information to the RPC interface (also behind the proxy). > > Here is a message from the apache error log: > > [Tue Jan 28 12:37:43 2014] [error] [client hidden] ModSecurity: Access > denied with code 403 (phase 2). Pattern match > > "\\\\b(?i:having)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')\\\\s*?[=<>]|(?i:\\\\bexecute(\\\\s{1,5}[\\\\w\\\\.$]{1,5}\\\\s{0,3})?\\\\()|\\\\bhaving\\\\b > ?(?:\\\\d{1,10}|[\\\\'\\"][^=]{1,10}[\\\\'\\"]) > > ?[=<>]+|(?i:\\\\bcreate\\\\s+?table.{0,20}?\\\\()|(?i:\\\\blike\\\\W*?char\\\\W*?\\\\()|(?i:(?:(select(.* > ..." at > > ARGS_NAMES:{"method":"torrent-get","arguments":{"ids":[1],"fields":["activityDate","addedDate","bandwidthPriority","comment","corruptEver","creator","display","dateCreated","desiredAvailable","doneDate","downloadDir","downloadedEver","downloadLimit","downloadLimited","error","errorString","eta","files","fileStats","hashString","haveUnchecked","haveValid","honorsSessionLimits","id","index","isFinished","isPrivate","isStalled","leftUntilDone","location","magnetLink","manualAnnounceTime","maxConnectedPeers","metadataPercentComplete","name","peer-limit","peers","peersConnected","peersFrom","peersGettingFromUs","peersSendingToUs","percentDone","pieces","pieceCount","pieceSize","priorities","queuePosition > [hostname "hidden"] [uri "/transmission/rpc"] [unique_id > "Uuekl38AAQEAAGl0A0wAAAAF"] > > Here is the related audit log: > > --c0e6d529-A-- > [28/Jan/2014:12:37:43 +0000] Uuekl38AAQEAAGl0A0wAAAAF hidden 59127 hidden > 443 > --c0e6d529-B-- > POST /transmission/rpc HTTP/1.1 > Host: hidden > Connection: keep-alive > Content-Length: 1095 > Authorization: Basic hidden > Origin: https://hidden > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/32.0.1700.77 Safari/537.36 > Content-type: application/x-www-form-urlencoded; charset=UTF-8 > Accept: text/javascript, text/html, application/xml, text/xml, */* > X-Prototype-Version: 1.7.1 > X-Requested-With: XMLHttpRequest > X-Transmission-Session-Id: KoILIz4o114SctLDgPVavN2EghQIxpbbXp49cBsSjVw8JVny > Referer: https://hidden/transmission/web/ > Accept-Encoding: gzip,deflate,sdch > Accept-Language: en-GB,en-US;q=0.8,en;q=0.6 > Cookie: compact_display_state=false > > --c0e6d529-C-- > > {"method":"torrent-get","arguments":{"ids":[1],"fields":["activityDate","addedDate","bandwidthPriority","comment","corruptEver","creator","display","dateCreated","desiredAvailable","doneDate","downloadDir","downloadedEver","downloadLimit","downloadLimited","error","errorString","eta","files","fileStats","hashString","haveUnchecked","haveValid","honorsSessionLimits","id","index","isFinished","isPrivate","isStalled","leftUntilDone","location","magnetLink","manualAnnounceTime","maxConnectedPeers","metadataPercentComplete","name","peer-limit","peers","peersConnected","peersFrom","peersGettingFromUs","peersSendingToUs","percentDone","pieces","pieceCount","pieceSize","priorities","queuePosition","rateDownload","rateUpload","recheckProgress","secondsDownloading","secondsSeeding","seedIdleLimit","seedIdleMode","seedRatioLimit","seedRatioMode","selected","sizeWhenDone","startDate","status","trackers","trackerAdd","trackerRemove","trackerReplace","trackerStats","totalSize","torrentFil! > > > e","uploadedEver","uploadLimit","uploadLimited","uploadRatio","wanted","webseeds","webseedsSendingToUs"]}} > --c0e6d529-F-- > HTTP/1.1 403 Forbidden > Vary: Accept-Encoding > Content-Encoding: gzip > Content-Length: 183 > Keep-Alive: timeout=5, max=33 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > > --c0e6d529-E-- > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>403 Forbidden</title> > </head><body> > <h1>Forbidden</h1> > <p>You don't have permission to access /transmission/rpc > on this server.</p> > </body></html> > > --c0e6d529-H-- > Message: Access denied with code 403 (phase 2). Pattern match > > "\\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b > ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) > > ?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.* > ..." at > > ARGS_NAMES:{"method":"torrent-get","arguments":{"ids":[1],"fields":["activityDate","addedDate","bandwidthPriority","comment","corruptEver","creator","display","dateCreated","desiredAvailable","doneDate","downloadDir","downloadedEver","downloadLimit","downloadLimited","error","errorString","eta","files","fileStats","hashString","haveUnchecked","haveValid","honorsSessionLimits","id","index","isFinished","isPrivate","isStalled","leftUntilDone","location","magnetLink","manualAnnounceTime","maxConnectedPeers","metadataPercentComplete","name","peer-limit","peers","peersConnected","peersFrom","peersGettingFromUs","peersSendingToUs","percentDone","pieces","pieceCount","pieceSize","priorities","queuePosition > Action: Intercepted (phase 2) > Apache-Handler: proxy-server > Stopwatch: 1390912663932099 11850 (- - -) > Stopwatch2: 1390912663932099 11850; combined=8383, p1=338, p2=7959, p3=0, > p4=0, p5=86, sr=68, sw=0, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); > OWASP_CRS/2.2.8. > Server: Apache > > Any help would be greatly appreciated. > > Thanks. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > End of Owasp-modsecurity-core-rule-set Digest, Vol 58, Issue 1 > ************************************************************** >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
