Running on Centos 7 w/ Sensors having ModSec 2.9.2 on Apache 2.4.6 #66
Description
Issues identified:
1. Alert uniqueid issued by Centos are 27 chars long instead of 24; throwing error
IPV6 not supported by now, sorry
Actions taken to fix:
- updated DB events.a_uniqid to support 27 chars
- modified /controller/index.php regex in phaseA from {24} to {27}
Solution suggested:
- modify waffle.sql definition for events.a_uniqid to CHAR(27) NOT NULL
- modify controller regex to either match 27 chars or to relax to any number of chars for compatibility with other OS (not sure on other types of systems what the length of the unique alert ID will be)
2. Missing default values for events.preserve and events.false_positive
Actions taken to fix:
- Alter DB fields to have default value 0
Solution suggested:
- modify waffle.sql to include DEFAULT '0' for the two fields under events table definition
3. For alerts which have no scoring (i.e. 400 Bad Request) the controller throws error that h_score_total, h_score_SQLi and h_score_XSS cannot be set to ""
Actions taken to fix:
- modify controller/index.php (around line 568) to set score to 0 instead of ""
if (!isset($PhaseH['Score']['In_Total']) || is_null($PhaseH['Score']['In_Total'])) {
$PhaseH['Score']['In_Total'] = "0"; //was ""
};
if (!isset($PhaseH['Score']['In_SQLi']) || is_null($PhaseH['Score']['In_SQLi'])) {
$PhaseH['Score']['In_SQLi'] = "0"; //was ""
};
if (!isset($PhaseH['Score']['In_XSS']) || is_null($PhaseH['Score']['In_XSS'])) {
$PhaseH['Score']['In_XSS'] = "0"; //was ""
};
Solution suggested:
- modify /controller/index.php to have defaults set to 0 instead of ""
After making the above changes the sensors started to correctly upload data to the Server.
Still getting some more 500 Internal Server Error messages but I did not identify what the reasons are.
In general, after probing with some sql injection, xss, etc, I am satisfied that I see the events in the waffle dashboard.