On Thu, Nov 24, 2016 at 04:41:49PM +0100, Muenz, Michael wrote: > Did you reply to the list or PN? :)
Maybe I made a mistake. The idea was to respond via the list. Doing that now. > I'm not quite sure if it's nginx itself, I'm a bit new to it. > > This is the auditlog: > > ---CMTQD8zC---A-- > [24/Nov/2016:16:39:45 +0100] 148000198565.715452 XXX > ---CMTQD8zC---B-- > GET /?s=../../../../etc/passwd HTTP/1.1 > REQUEST_HEADERS:Host: XXX > REQUEST_HEADERS:Connection: keep-alive > REQUEST_HEADERS:Upgrade-Insecure-Requests: 1 > REQUEST_HEADERS:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; > x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 > Safari/537.36 > REQUEST_HEADERS:Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > REQUEST_HEADERS:Accept-Encoding: gzip, deflate, sdch > REQUEST_HEADERS:Accept-Language: > de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4,fr;q=0.2 > ---CMTQD8zC---D-- > ---CMTQD8zC---E-- > ---CMTQD8zC---F-- > RESPONSE_HEADERS:Server: nginx/1.11.5 > RESPONSE_HEADERS:Date: Thu, 24 Nov 2016 15:39:45 GMT > RESPONSE_HEADERS:Content-Length: 571 > RESPONSE_HEADERS:Content-Type: text/html > RESPONSE_HEADERS:Connection: keep-alive > ---CMTQD8zC---H-- > ---CMTQD8zC---I-- > ---CMTQD8zC---J-- > ---CMTQD8zC---Z-- The interesting bit, the H part is empty. That is very odd. What is your SecAuditLogParts setting? Maybe you remove it for a test so it reverts to the default which should bring you the H audit log part. Ahoj, Christian -- No man is more unhappy than he who never faces adversity. For he is not permitted to prove himself. -- Seneca _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set