regex for ModSecurity log detection is incomplete

[aww+]

Hi, I have found a bug with the regex used to monitor apache error logs for modsecurity events.

As you have it now, it can only detect DENY events. It cannot however detect DROP events.

currently:

Code: Select all

\[error\] \[client (\S+)\] mod_security: Access denied with code/)) 
\[error\] \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied with code/)) 

Except DROP events use the log line:

Code: Select all

[error] [client x.x.x.x] ModSecurity: Access denied with connection close (phase 1).

(the phase 1 is optional and can vary, but the rest remains the same for DROP)

So it's never matched and CSF never catches the event to block the IP at iptables level.

Thanks for all the brilliant work on CSF!

[chirpy]

We'll add this in the next release. Thank you for reporting it.