Author Topic: mod_security logs/modsec_audit.log take huge space when upload big files  (Read 608 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
When I upload big video file 6GB via WordPress /usr/local/apache/logs/modsec_audit.log grow up with the same size what was the uploaded file

Audit log level is on: Only log noteworthy transactions.

As I understand in that log file goes all binary data that I uploaded.

Some of lines from logfile:
Code: [Select]
[Mon Jun 20 00:05:52.448489 2022] [:error] [pid 24801:tid 139940270749440] [client 10.10.120.6:44098] [client 10.10.120.6] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){8})" at REQUEST_COOKIES:wp-settings-1. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1384"] [id "942420"] [msg "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded ("] [data "Matched Data: =tinymce&libraryContent=browse&imgsize=large&advImgDetails=show& found within REQUEST_COOKIES:wp-settings-1: editor=tinymce&libraryContent=browse&imgsize=large&advImgDetails=show&hidetb=0&uploader=1&urlbutton=post"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/3"] [hostname "mysuperdomain.lv"] [uri "/wp-admin/admin-ajax.php"] [unique_id "Yq-PsB_fetPJ8REDDkdM1gAAAAE"], referer: https://mysuperdomain.lv/wp-admin/upload.php
[Mon Jun 20 00:05:52.448438 2022] [:error] [pid 24801:tid 139940270749440] [client 10.10.120.6:44098] [client 10.10.120.6] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){8})" at REQUEST_COOKIES:moove_gdpr_popup. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1384"] [id "942420"] [msg "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded ("] [data "Matched Data: {\\x22strict\\x22:\\x221\\x22,\\x22thirdparty\\x22 found within REQUEST_COOKIES:moove_gdpr_popup: {\\x22strict\\x22:\\x221\\x22,\\x22thirdparty\\x22:\\x221\\x22,\\x22advanced\\x22:\\x221\\x22}"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/3"] [hostname "mysuperdomain.lv"] [uri "/wp-admin/admin-ajax.php"] [unique_id "Yq-PsB_fetPJ8REDDkdM1gAAAAE"], referer: https://mysuperdomain.lv/wp-admin/upload.php

mod_security settings


Any suggestion on how to fix this?
« Last Edit: June 19, 2022, 09:23:59 PM by rolla »