LF_MODSEC fails silently with Apache 2.4 and MPM_EVENT
Posted: 25 Jan 2014, 09:18
Hello,
The current modsec Regex is in this file /usr/local/csf/bin/regex.pm:
$line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[:?error\] (\[pid \d+\] )?\[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)
This regexp fails to trigger on logged ModSec events when MPM_EVENT is installed, because the [pid] block changes to include the tid.
From:
[pid XXXX]
To:
[pid XXXX:tid XXXXXXXXXXXXXXX]
As a result, its necessary to manually update the regex in the indicated file for LF_MODSEC blocks to trigger as expected.
Reproduce:
Build apache 2.4, with mpm_event and modsec2
Tested on: cpanel 11.40
Unsure if this would effect other multi-threaded mpm types.
The current modsec Regex is in this file /usr/local/csf/bin/regex.pm:
$line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[:?error\] (\[pid \d+\] )?\[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)
This regexp fails to trigger on logged ModSec events when MPM_EVENT is installed, because the [pid] block changes to include the tid.
From:
[pid XXXX]
To:
[pid XXXX:tid XXXXXXXXXXXXXXX]
As a result, its necessary to manually update the regex in the indicated file for LF_MODSEC blocks to trigger as expected.
Reproduce:
Build apache 2.4, with mpm_event and modsec2
Tested on: cpanel 11.40
Unsure if this would effect other multi-threaded mpm types.