WAF-FLE is not receiving logs

[zoltan...@gravitalent.com]

Hi,

I was following the setup instructions and setup a piped mlogic log collection and while I can see the audit files getting created at //var/log/mlogc/data but they never arrive to WAF-FLE.

There is nothing in any of the logs, including the SELinux log.

Any idea how to trouble-shoot?

Thanks!

[Klaubert Herr da Silveira]

Zoltan,

In your waf-fle machine you see any entry to /controller/ in Apache access/error log?
Check with 'ps ax' if mlogc is running.

Best regards,

Klaubert

--
You received this message because you are subscribed to the Google Groups "waf-fle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waf-fle+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Gleison Rodrigo]

Zoltan, you running the script for sending datas?

--
Gleison Rodrigo
http://gleisonrodrigo.xpg.uol.com.br/

"Sábio é aquele que sabe compartilhar seus conhecimentos"

[zoltan...@gravitalent.com]

Hi Klaubert,

Yes, it turns out that I had to modify the functions.php as I don't have APC (the calls to /controller/ failed due to PHP error).

Now I can see the that calls to the /controller/ are being made, but the logs show 403. I have added the modsecurity_crs_11_waffle.conf to the modsecurity base_rules, but for some reason still receiving 403.

Maybe the authorization doesn't go through??

--0692253b-A--

[07/Oct/2014:14:41:21 +0200] VDPfcVFfkaMAACeCML8AAAAC 127.0.0.1 50929 127.0.0.1 80

--0692253b-B--

PUT /controller/ HTTP/1.1

Authorization: Basic YW1zenRlcmRhbS1hbXMxOmFmNDVkeTg3dGRmZ2pEUw==

Host: 127.0.0.1

Accept: */*

X-Content-Hash: md5:6f8c11b4c26744c1edbd8493779de0bd

X-ForensicLog-Summary: xx.xxxxx.com 167.206.xx.x - - [07/Oct/2014:14:05:55 +0200] "GET /controller/ HTTP/1.1" 403 213 "-" "-" VDPXI1FfkaMAABTJKJAAAAAK "-" /20141007/20141007-1405/20141007-140555-VDPXI1FfkaMAABTJKJAAAAAK 0 1898 md5:6f8c11b4c26744c1edbd8493779de0bd

Content-Length: 1898

--0692253b-F--

HTTP/1.1 403 Forbidden

Vary: Accept-Encoding

Transfer-Encoding: chunked

Content-Type: text/html; charset=UTF-8

--0692253b-H--

Apache-Handler: fcgid-script

Stopwatch: 1412685681190694 7036 (- - -)

Stopwatch2: 1412685681190694 7036; combined=387, p1=368, p2=0, p3=0, p4=0, p5=18, sr=238, sw=1, l=0, gc=0

Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.

Server: Apache/2.2.15 (CentOS)

--0692253b-Z--

[zoltan...@gravitalent.com]

It seems the problem is with the authentication of the sensor to /controller/

I have implemented the patch https://code.google.com/p/waf-fle/issues/attachmentText?id=19&aid=190000000&name=waf-fle.patch&token=ABZ6GAcUMDi2iZFe2tdvmO13Xb_IMM-T0w%3A1412634774960

but the $_SERVER['PHP_AUTH_USER'] seems to be not set.

[zoltan...@gravitalent.com]

I figured out the problem. The issue is that I'm using FCGID and with CGID/FCGID you basically cannot use HTTP authentication from PHP.

The only work-around I found it explained here:

http://stackoverflow.com/questions/7053306/http-auth-via-php-php-auth-user-not-set

On Monday, October 6, 2014 6:09:07 PM UTC-4, zoltan...@gravitalent.com wrote:

[Klaubert Herr da Silveira]

Zoltan,

The 403 that you are receiving sound to me as the FCGI problem... I expect to support other modes in next version, but I have not tried the patch yet, and you will need to debug it a little bit more... :)

 Klaubert

--

[zoltan...@gravitalent.com]

Thanks Flaubert, yes, you were right, the issue was the FCGI PHP doesn't work with HTTP authentication.

The only work-around I found it explained here:

http://stackoverflow.com/questions/7053306/http-auth-via-php-php-auth-user-not-set

As explained there, I created a .htaccess file to redirect with the HTTP authentication details and modified the controller/index.php and so I made it work.

Thanks

[Klaubert Herr da Silveira]

Great,

klaubert