Skip to content

Standalone module no longer logs client IP to error log #3373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
RedXanadu opened this issue May 9, 2025 · 3 comments
Closed

Standalone module no longer logs client IP to error log #3373

RedXanadu opened this issue May 9, 2025 · 3 comments
Labels
2.x Related to ModSecurity version 2.x

Comments

@RedXanadu
Copy link

Describe the bug

The 2.9.8 release introduced a bug for the "standalone module" version of ModSecurity v2 whereby the client source IP address is no longer written to the error log.

This is a very big problem as it is common to rely on the error log output for the purposes of monitoring, resolving false positives, identifying attacks, producing statistics / reports / dashboards, and more. Without the client's IP address in the error logs these tasks become impossible.

This bug was introduced in PR #3192 during an effort to tidy error logging in v2 for Apache. The format strings that control error logging were altered to remove the explicit [client %s] output at the start of the log line. It seems that Apache will implicitly write this source IP information, making it redundant for ModSecurity to add. A standalone (Apache-less) compilation of ModSecurity requires the [client %s] information to be explicitly written to the error log as Apache is not present to implicitly write it.

Logs and dumps

Error log examples:

Before updating to ModSecurity 2.9.8:

2025-05-06T17:02:29+00:00 loadbalancer wafservice: [client 192.168.1.131] ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec...

After updating to ModSecurity 2.9.8:

2025-05-06T15:46:11+00:00 loadbalancer wafservice: ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec. [file "/waf/3/REQ...

Notice that the [client 192.168.1.131] section is now gone. The client source IP address is no longer written to the error log at all.

To Reproduce

Compile ModSecurity v2.9.8 in standalone mode, trigger a rule, and observe that the source IP address of the client is omitted.

Expected behaviour

The client source IP address must always be written to the error log.

Server:

  • ModSecurity v2.9.8, standalone mode
  • WebServer: n/a
  • OS (and distro): Debian

Rule Set (please complete the following information):

  • OWASP CRS v3.3.7
@RedXanadu RedXanadu added the 2.x Related to ModSecurity version 2.x label May 9, 2025
@RedXanadu RedXanadu mentioned this issue May 9, 2025
Merged
@RedXanadu
Copy link
Author

PR to fix this issue, for consideration:
Fixed by #3374

@airween
Copy link
Member

airween commented May 9, 2025

Hi @RedXanadu,

many thanks for this report and for the fix. I'm going to review this soon and will merge your patch.

@airween
Copy link
Member

airween commented May 14, 2025

Closed as completed via #3374.

Thank you @RedXanadu!

@airween airween closed this as completed May 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x Related to ModSecurity version 2.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@airween @RedXanadu