WAF-FLE returns 200 but not inserting into DB

102 views
Skip to first unread message

Angel Sánchez

unread,
Dec 1, 2017, 3:37:05 PM12/1/17
to waf-fle
Greetings I'm building a lab with Modsecurity with xampp (apache 2.4, php5.6 and mariaDB 10) on Windows Server 2008 R2 (I'm using windows because the apps I want to protect are running on windows) and WAF-FLE with apache 2.4, php5.6 and MariaDB on Ubuntu 16.04

I was able to run modsecurity on Windows (thanks to apachelounge) with Owasp CRS and works pretty cool.

But when I'm trying to send the logs with mlogc to the Waffle server I receive a 200 response but I don't see the events getting registered in the database.

I'm attaching my cfg files and logs

Hope you guys can help me.

thanks.


modsecurity.conf
mlogc-queue.log
mlogc-error.log
mlogc.conf
waf-fle.conf

Claudio Basso

unread,
Jan 22, 2018, 8:11:15 AM1/22/18
to waf-fle
Hi, same problem, different configuration.
waf-fle 0.6.4 on Linux CentOS.
Apache works well, modsecurity works.
Tryed with mlog2waffle and mlogc, same problem, events are processed, apparently sent to waf-fle, all logs are ok, but the events in waf-fle console still remain 0.

Part of the mlogc log:
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Worker thread starting.
[Wed Jan 17 14:48:33 2018] [3] [3109/0] No more data to read, emptying buffer: End of file found
[Wed Jan 17 14:48:33 2018] [3] [3109/0] Waiting for queue to empty (1 active).
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Worker fetch locking thread mutex.
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Worker fetch started.
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Getting one entry from the queue.
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Worker fetch completed.
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Worker fetch unlocking thread mutex.
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Processing entry.
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] Regular expression matched.
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] STAT "/var/log/mlog2waffle/data/20180117/20180117-1448/20180117-144816-Wl9UIHRpdjjrUhBYY@71-QAAAAA" {uid=48; gid=48; size=4200; csize=8192; atime=1516196908487708; ctime=1516196896337707; mtime=1516196896337707}
[Wed Jan 17 14:48:33 2018] [4] [3109/1bdaca0] File found (4200 bytes), activating cURL.
[Wed Jan 17 14:32:03 2018] [4] [3043/83cd30] CURL: Connection #0 to host XYZ left intact
[Wed Jan 17 14:32:03 2018] [4] [3043/83cd30] Request returned with status "200 Ok": Wl9QMK6-4a269ll8hIKj6wAAAAQ
[Wed Jan 17 14:32:03 2018] [4] [3043/83cd30] Removing: /var/log/mlog2waffle/data/20180117/20180117-1431/20180117-143128-Wl9QMK6-4a269ll8hIKj6wAAAAQ
[Wed Jan 17 14:32:03 2018] [3] [3043/83cd30] Entry completed (0.136 seconds, 5196 bytes): Wl9QMK6-4a269ll8hIKj6wAAAAQ

Why events are not written to db?

pawel.go...@codilime.com

unread,
Nov 16, 2018, 5:56:49 AM11/16/18
to waf-fle
Hi,

Did you figure it out? I have the same problem. I can see in tcpdump that the packets with events are delivered and even mysql log shows that the waf-fle connects to it, select couple things but doesn't save anything...

/usr/sbin/mysqld, Version: 5.7.24-0ubuntu0.18.04.1-log ((Ubuntu)). started with:
Tcp port: 3306  Unix socket: /var/run/mysqld/mysqld.sock
Time                 Id Command    Argument



2018-11-15T07:34:53.358530Z     2 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.369283Z     2 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.369603Z     2 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.370823Z     2 Prepare SELECT sensor_id, name, IP, client_ip_via, client_ip_header FROM sensors WHERE status = 'Enabled' AND name LIKE ? AND password LIKE ? LIMIT 0 , 1
2018-11-15T07:34:53.370923Z     2 Execute SELECT sensor_id, name, IP, client_ip_via, client_ip_header FROM sensors WHERE status = 'Enabled' AND name LIKE 'codilime' AND password LIKE 'BasicPassword' LIMIT 0 , 1
2018-11-15T07:34:53.371305Z     2 Close stmt
2018-11-15T07:34:53.373867Z     2 Prepare SELECT `tag_id`, `tag_name` FROM `tags`
                        UNION
                        SELECT `tag_id`, `tag_name` FROM `tags_custom`
2018-11-15T07:34:53.373967Z     2 Execute SELECT `tag_id`, `tag_name` FROM `tags`
                        UNION
                        SELECT `tag_id`, `tag_name` FROM `tags_custom`
2018-11-15T07:34:53.376797Z     2 Close stmt
2018-11-15T07:34:53.377350Z     2 Close stmt
2018-11-15T07:34:53.377417Z     2 Quit
2018-11-15T07:34:53.391273Z     3 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.391802Z     3 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.391883Z     3 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.395443Z     3 Close stmt
2018-11-15T07:34:53.395659Z     3 Quit
2018-11-15T07:34:53.457246Z     4 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.457803Z     4 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.457902Z     4 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.458897Z     4 Close stmt
2018-11-15T07:34:53.458960Z     4 Quit
2018-11-15T07:34:53.459190Z     5 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.459514Z     5 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.459579Z     5 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.460302Z     5 Close stmt
2018-11-15T07:34:53.460359Z     5 Quit
2018-11-15T07:34:53.464323Z     6 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.464730Z     6 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.464818Z     6 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.465528Z     6 Close stmt
2018-11-15T07:34:53.465581Z     6 Quit
2018-11-15T07:34:53.466299Z     7 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.466600Z     8 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.466607Z     7 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.466829Z     7 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.467134Z     9 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.467461Z     9 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.467549Z     9 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.468313Z     9 Close stmt
2018-11-15T07:34:53.468387Z     9 Quit
2018-11-15T07:34:53.470260Z     7 Close stmt
2018-11-15T07:34:53.470405Z     8 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.470459Z     7 Quit
2018-11-15T07:34:53.470616Z    10 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.470879Z     8 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.471205Z    10 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.471270Z    10 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.471817Z     8 Close stmt
2018-11-15T07:34:53.471963Z     8 Quit
2018-11-15T07:34:53.472039Z    10 Close stmt
2018-11-15T07:34:53.472145Z    10 Quit
2018-11-15T07:34:53.692145Z    11 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.692505Z    11 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.692577Z    11 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.693271Z    11 Close stmt
2018-11-15T07:34:53.693332Z    11 Quit
2018-11-15T07:34:53.700506Z    12 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.700956Z    12 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.701116Z    12 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.702006Z    12 Close stmt
2018-11-15T07:34:53.702045Z    12 Quit
2018-11-15T07:34:53.773901Z    13 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.774426Z    14 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.774716Z    13 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.774796Z    13 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.774995Z    15 Connect waf@localhost on waf using Socket
2018-11-15T07:34:53.775300Z    15 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.775452Z    15 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.776101Z    15 Close stmt
2018-11-15T07:34:53.776153Z    15 Quit
2018-11-15T07:34:53.776643Z    14 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.776779Z    14 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:53.777016Z    13 Close stmt
2018-11-15T07:34:53.777593Z    14 Close stmt
2018-11-15T07:34:53.777965Z    13 Quit
2018-11-15T07:34:53.778161Z    14 Quit
2018-11-15T07:34:54.013617Z    16 Connect waf@localhost on waf using Socket
2018-11-15T07:34:54.014143Z    16 Prepare SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:54.014313Z    16 Execute SELECT `waffle_version` FROM `version` LIMIT 1
2018-11-15T07:34:54.015245Z    16 Close stmt
2018-11-15T07:34:54.015282Z    16 Quit

-------------------------------
The information in this email is confidential and may be legally privileged, it may contain information that is confidential in CodiLime Sp. z o. o. It is intended solely for the addressee. Any access to this email by third parties is unauthorized. If you are not the intended recipient of this message, any disclosure, copying, distribution or any action undertaken or neglected in reliance thereon is prohibited and may result in your liability for damages.

pawel.go...@codilime.com

unread,
Nov 16, 2018, 5:56:49 AM11/16/18
to waf-fle
I had the same issue, cloned 0.7.0-devel branch from https://github.com/klaubert/waf-fle and it works


On Monday, January 22, 2018 at 2:11:15 PM UTC+1, Claudio Basso wrote:
Reply all
Reply to author
Forward
0 new messages