ModSecurity: Apache-Error: [file "apache2_util.c"]

Hello Guys!

I install crs from github and update debian from 8 to 9. I have next software version:

Apache 2.4.25
ModSecurity  2.9.1
CRS 3.0.2

And after update(ModSecurity 2.8.0 -> ModSecurity 2.9.1) I see next string in every ModSecurity log line.

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s

audit.log

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
HTTP/1.1 403 Forbidden
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Content-Length: 301
Accept-Encoding: gzip, deflate, br
Message: Warning. Matched phrase "../" at REQUEST_URI. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "77"] [id "930110"] [rev "1"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_URI: /search?utf8=\xe2\x9c\x93&q=..//..//../../12312312312312312312"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=0,RFI=0,LFI=15,RCE=0,PHPI=0,HTTP=0,SESS=0): Path Traversal Attack (/../)"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1497945553089390 44896 (- - -)
Stopwatch2: 1497945553089390 44896; combined=40604, p1=408, p2=40101, p3=0, p4=0, p5=95, sr=32, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.2
.
Server: Apache/2.4.25 (Debian)
Engine-Mode: "ENABLED"

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 23 (9 by maintainers)

Most upvoted comments

Hi Victor. All my packages are uploaded to Debian’s repositories. I’m also de maintainer of CRS. 😃

inittab on Jul 5, 2017

Hiya. I’ll build an updated package and upload it to sid ASAP. Once it gets into testing I’ll upload to backports.

inittab on Jun 29, 2017

Hi @ossie-git,

I was reviewing the code and specs I remembered that the “Apache-Error” message on the auditlogs is actually normal behaviour.

If you look at msc_logging.c you can see that the Apache-Error header is always added as part of Audit Log every time a log entry is sent to Apache error_log.

This is also written on to the ModSecurity Data Formats reference “The Apache-Error header contains Apache error log messages observed by ModSecurity, excluding those sent by ModSecurity itself”

So if you really don’t want the “Apache-Error” message showing on your audit logs you can either omit the “H” from the SecAuditLogParts (you might loose other information from the audit log as well) or maybe omit this in the code, but honestly the Apache-Error message is harmless and you can safely ignore it if you’re not interested in it.

Keeping this one closed as it’s not an issue.

victorhora on Mar 16, 2018

@oleg9301 I see it on my side too. Here’s a reproducer for others looking into this issue.

Dockerfile:

FROM debian

RUN apt-get update && apt-get -y install libapache2-modsecurity apache2
RUN mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

CMD ["-DFOREGROUND"]
ENTRYPOINT ["/sbin/apachectl"]

# docker build -t modsec-1468 .
# docker run -p 8000:80 --rm --name modsec-1468 -it modsec-1468

In another terminal, watch the audit log:

# docker exec -it modsec-1468 tail -f /var/log/apache2/modsec_audit.log | grep 'Apache-Error'

Finally, send a naughty request (I used the one shown in @oleg9301 's output)

# curl 'http://localhost:8000/search?utf8=\xe2\x9c\x93&q=..//..//../../12312312312312312312'

Back in the tail output:

# docker exec -it modsec-1468 tail -f /var/log/apache2/modsec_audit.log | grep 'Apache-Error'
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s

bostrt on Jun 25, 2017

I install 2.9.1 from debian repo(stretch)

dpkg -l libapache2-modsecurity 
+++-==============-============-============-=================================
ii  libapache2-mod 2.9.1-2      all          Dummy transitional package

dpkg -l apache2
+++-=======================-================-================-================
ii  apache2                 2.4.25-3         amd64            Apache HTTP Server

error.log

[Wed Jun 21 06:25:31.000907 2017] [:notice] [pid 4425] ModSecurity: Loaded 29764 rules from: 'https://dashboard.modsecurity.org/rules/download/plain'.
[Wed Jun 21 06:25:31.001056 2017] [mpm_prefork:notice] [pid 4425] AH00163: Apache/2.4.25 (Debian) OpenSSL/1.0.2l configured -- resuming normal operations
[Wed Jun 21 06:25:31.001064 2017] [core:notice] [pid 4425] AH00094: Command line: '/usr/sbin/apache2'
[Wed Jun 21 06:25:31.001095 2017] [mpm_prefork:warn] [pid 4425] AH00167: long lost child came home! (pid 6341)
[Wed Jun 21 08:58:09.053829 2017] [mpm_prefork:notice] [pid 4425] AH00169: caught SIGTERM, shutting down
[Wed Jun 21 08:58:57.000512 2017] [:notice] [pid 11149] ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.
[Wed Jun 21 08:58:57.000583 2017] [:notice] [pid 11149] ModSecurity: APR compiled version="1.5.2"; loaded version="1.5.2"
[Wed Jun 21 08:58:57.000591 2017] [:notice] [pid 11149] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Wed Jun 21 08:58:57.000597 2017] [:notice] [pid 11149] ModSecurity: LUA compiled version="Lua 5.1"
[Wed Jun 21 08:58:57.000601 2017] [:notice] [pid 11149] ModSecurity: YAJL compiled version="2.1.0"
[Wed Jun 21 08:58:57.000606 2017] [:notice] [pid 11149] ModSecurity: LIBXML compiled version="2.9.4"
[Wed Jun 21 08:58:57.000611 2017] [:notice] [pid 11149] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.

oleg9301 on Jun 21, 2017