LF_MODSEC fails silently with Apache 2.4 and MPM_EVENT

[DWells]

Hello,

The current modsec Regex is in this file /usr/local/csf/bin/regex.pm:
$line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[:?error\] (\[pid \d+\] )?\[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)

This regexp fails to trigger on logged ModSec events when MPM_EVENT is installed, because the [pid] block changes to include the tid.

From:
[pid XXXX]

To:
[pid XXXX:tid XXXXXXXXXXXXXXX]

As a result, its necessary to manually update the regex in the indicated file for LF_MODSEC blocks to trigger as expected.

Reproduce:

Build apache 2.4, with mpm_event and modsec2
Tested on: cpanel 11.40

Unsure if this would effect other multi-threaded mpm types.

[ForumAdmin]

It would help if you copied an actual complete log line that you see.

[Ssubz]

Hello,

Here is the test case that we were using. I was actually working with DWells on this.

This is an example from the server:

[Sat Jan 25 00:47:27.694071 2014] [:error] [pid 885696:tid 140376444684032]
[client 72.52.190.195]

This is from another server:

[Sat Jan 25 03:29:01.283100 2014] [:error] [pid 22729] [client 72.52.190.195]

The inclusion of the tid appears to be what is breaking the csf regex.
I am fairly sure that is because the server is using mpm_event.

Thanks,

[ForumAdmin]

Thank you for that. We have a fix that will be included with the next release of csf that caters for the thread id if present.

[Ssubz]

Hello,

Sweet, Thanks much.