Coraza not logging logs and audit logs #42
Comments
|
this logs is from coraza ? If that is, why all logs are generate on /var/log/syslog and not generate on the rute I specificated ? Feb 6 19:47:04 lab caddy[585]: {"level":"error","ts":1675730824.3300385,"logger":"http.handlers.waf","msg":"[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n[client "192.168.152.1"] Coraza: Warning. SQL Injection Attack Detected via libinjection [file "/usr/share/caddy/waf/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "0"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n&1 found within ARGS:name: carlos or 1=1"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname ""] [uri "/?name=carlos%20or%201=1"] [unique_id "hEliunlRvPlEKAvH"]\n"} |
|
@jptosso @jcchavezs Any inputs here? |
|
@jcchavezs @jptosso ping. |
|
@jcchavezs @jptosso ping 2. |
|
we completely rewrite the connector. Do you mind testing again with latest commit? At least the debug logging should be working fine. Audit we will tackle soon. |
|
Hello @jcchavezs when try to update caddy it's take v1.2.2 this is the final version of coraza-caddy? it's not will be 1.2.3 ? same error. |
|
The version with the rewritten connector is not yet tagged, you should be able to try it pointing directly to the commit ( |
|
I think the right syntax is xcaddy build --with
***@***.***
…On Tue, 4 Apr 2023, 19:45 Carlos Herrera, ***@***.***> wrote:
Hello @M4tteoP <https://github.com/M4tteoP> if used xcaddy with build
34daaf8
<34daaf8>
i got error invalid
go:
***@***.***:
invalid version: unknown revision 34daaf8
<34daaf8>
I used xcaddy build 34daaf8
<34daaf8>
--with github.com/corazawaf/coraza-caddy
—
Reply to this email directly, view it on GitHub
<#42 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXOYAV2CB3NFMJA4P23R23W7RM2TANCNFSM6AAAAAAUPQYRVU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
The right syntax should be this one: Edit: ops, JC has been faster :3 |
|
Hello @M4tteoP @jcchavezs You have right I can compile using xcaddy build --with github....coraza-caddy@build_hash But now the error change and I got a error with the CRS loaded. |
|
Unfortunately this is an issue with the file system as it does not like absolute paths. I tried different approaches and ended up creating my own library for merging filesystems because existing ones did have some opinions. This is the same issue as in jcchavezs/coraza-httpbin#4 (comment) which I will soon fix as soon as finish test the new merge library. |
|
@jcchavezs I would remove your coreruleset library from coraza-caddy until it is fixed. It's not such an important feature for the connector, and it's not even documented |
|
Yeah I will remove that. And reassess the os filesystem. |
|
In the other hand, the coreruleset library eases testing in this repo which
we really need it to avoid poor coverage. I'd rather make that work to not
to have to download CRS for ftw.
…On Wed, 5 Apr 2023, 14:28 José Carlos Chávez, ***@***.***> wrote:
The coreruleset library isn't the problem. Loading filesystem is and that
is what I am fixing.
On Wed, 5 Apr 2023, 14:28 Juan Pablo Tosso, ***@***.***>
wrote:
> @jcchavezs <https://github.com/jcchavezs> I would remove your
> coreruleset library from coraza-caddy until it is fixed. It's not such an
> important feature for the connector, and it's not even documented
>
> —
> Reply to this email directly, view it on GitHub
> <#42 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAXOYAWDPIAWJ23JFDCCWL3W7VQNFANCNFSM6AAAAAAUPQYRVU>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
@carlos-herrer please do try this branch #52 |
|
Hello @jcchavezs, I got the same error Permission deny. with "SecDebugLog /var/log/coraza/coraza.log" with "SexDebugLogLevel 6" I got invalid sintax. |
|
Hey there, |
|
Still having the same problem. I builded caddy by xcaddy build --with github.com/corazawaf/coraza-caddy/v2@latest . All log just show on screen console. Can't find in any log file. |
|
I will look into this again. |
|
I changed the example to show logs #173. Unfortunately I did not face any issue with logs. |
Hi,
I am using coraza with caddy and trying to find the audit logs noted that it does not leave the audit log registers and when change the config SecAuditLog got a error:
If used a rute /var/log/audit/coraza_audit.log I got Permission deny
and If I used another rute in my case I try with /var/log/caddy/coraza_audit.log I got file don't found (if I create log file back permission deny)
All logs that i receive came from caddy log and not from the coraza
I try seting the config "SecDebugLog /var/log/coraza/coraza.log" with "SexDebugLogLevel 6" but not generate any file.
and if I using audit log "SecAuditLogDir /var/log/audit/audit_coraza.log", it's generate a permission error even with permission 777, only if using on /tmp/ folder not geting a error but it's not generate any file or log.
anyone knows how to fix the permission deny?
The text was updated successfully, but these errors were encountered: