Request Filtering logs

[Dani]

Hi,

I spoke to mistwang about a better and more detailed log system for this, I just wanted to see if it's on the todo list yet and how what it's time frame is.

this is what I'm speaking of to be more clear:
logs/error.log <==
2007-11-16 16:11:15.828 [NOTICE] [xx.146.185.194:2981-0#site] [SECURITY] Detected [PATTERN: 'or.+1[[:space:]]*=[[:space:]]1|or 1=1--'|'.+--'] [Msg: SQL Injection attack]

I'd like to know what exactly was sent in the POST/GET, which php file that parsed it OR atleast the url would be enough as a start to know what they are "attacking".


thanks

 

[mistwang]

Request URL will be logged in 3.3 release.

 

[Dani]

Can't see it atm, still logs the same way, maybe we'll get it in 3.3.1?

 

[mistwang]

Those are logged at "INFO" log level, so make sure you set log level to "INFO" or "DEBUG".

 

[Dani]

hmm this is to much for the server to handle to have in a live environment, I want to be able to just show the result: 1.

But even with the Log Level of the request filter set to 0 or 1 nothing seems to change, this is the 'standard' output.

2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Mosiac 1\.*], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Brutus/AET], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [cgichk], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [DataCha0s/2\.0], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Web Downloader], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebZIP], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebCopier], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [Webster], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebZIP], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [WebStripper], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [teleport pro], result: 0
2007-11-20 10:34:04.878 [INFO] [xx.xx.xxx.xx:2320-0#Main] [SECURITY] match [HTTP_USER_AGENT] against pattern [combine], result: 0



So is it possible for a a 'log only if result: 1' so that I get the info I was talking about in post #1? =)

 

[mistwang]

Request filter "Log Level" is control the debug logging of Request filter, should set it 0 on production server.

The logging I refer to is the "Action", usually is "deny,log,status:403". "log" action must be set, and server log level must be set to "INFO", the request URI should be logged with 3.3

 

[Dani]

I totally get you, but should I give up hope in having that extra log info 'url or the text that they sent' using log level NOTICE instead of INFO?

Since this would help me see what they are attacking the most, and since I cannot use INFO cause of the slowdown of massive logging one last thing that could help is that the result: 0 (which is false match) has its own option in the config to be able to turn it off and just show positive matches in logs whether its NOTICE or INFO

 

[mistwang]

OK, changed the log level from INFO to NOTICE for that message

 

[Dani]

thanks, is it possible to revert back the 3.3 change of 'run away process' logs to INFO from NOTICE? Or is this a request from someone that wanted to see it's runaway processes for some reason?

 

[mistwang]

OK, we will do that.