Request Filtering logs

Discussion in 'Feedback/Feature Requests' started by Dani, Nov 16, 2007.

  1. Dani

    Dani New Member

    Hi,

    I spoke to mistwang about a better and more detailed log system for this, I just wanted to see if it's on the todo list yet and how what it's time frame is.

    this is what I'm speaking of to be more clear:
    logs/error.log <==
    2007-11-16 16:11:15.828 [NOTICE] [xx.146.185.194:2981-0#site] [SECURITY] Detected [PATTERN: 'or.+1[[:space:]]*=[[:space:]]1|or 1=1--'|'.+--'] [Msg: SQL Injection attack]

    I'd like to know what exactly was sent in the POST/GET, which php file that parsed it OR atleast the url would be enough as a start to know what they are "attacking".


    thanks
  2. mistwang

    mistwang LiteSpeed Staff

    Request URL will be logged in 3.3 release.
  3. Dani

    Dani New Member

    Can't see it atm, still logs the same way, maybe we'll get it in 3.3.1? :)
  4. mistwang

    mistwang LiteSpeed Staff

    Those are logged at "INFO" log level, so make sure you set log level to "INFO" or "DEBUG".
  5. Dani

    Dani New Member

    hmm this is to much for the server to handle to have in a live environment, I want to be able to just show the result: 1.

    But even with the Log Level of the request filter set to 0 or 1 nothing seems to change, this is the 'standard' output.

    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Mosiac 1\.*], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Brutus/AET], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [cgichk], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [DataCha0s/2\.0], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Web Downloader], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebZIP], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebCopier], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Webster], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebZIP], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebStripper], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [teleport pro], result: 0
    2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [combine], result: 0



    So is it possible for a a 'log only if result: 1' so that I get the info I was talking about in post #1? =)
  6. mistwang

    mistwang LiteSpeed Staff

    Request filter "Log Level" is control the debug logging of Request filter, should set it 0 on production server.

    The logging I refer to is the "Action", usually is "deny,log,status:403". "log" action must be set, and server log level must be set to "INFO", the request URI should be logged with 3.3
  7. Dani

    Dani New Member

    I totally get you, but should I give up hope in having that extra log info 'url or the text that they sent' using log level NOTICE instead of INFO?

    Since this would help me see what they are attacking the most, and since I cannot use INFO cause of the slowdown of massive logging one last thing that could help is that the result: 0 (which is false match) has its own option in the config to be able to turn it off and just show positive matches in logs whether its NOTICE or INFO :)
  8. mistwang

    mistwang LiteSpeed Staff

    OK, changed the log level from INFO to NOTICE for that message
  9. Dani

    Dani New Member

    thanks, is it possible to revert back the 3.3 change of 'run away process' logs to INFO from NOTICE? Or is this a request from someone that wanted to see it's runaway processes for some reason?
  10. mistwang

    mistwang LiteSpeed Staff

    OK, we will do that.

Share This Page