• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

Issue Is it possible to add query-string in error_log (ModSecurity)?

Azurel

Azurel

Silver Pleskian
In subscription error_log I found this kind of entries:
Code: 
[Thu Apr 23 12:46:58.707718 2020] [:error] [pid 23156] [client 2600:.....:c6cb] ModSecurity:  [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "253"] [id "33340149"] [rev "152"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potential Cross Site Scripting Attack"] [data "shell:"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "(?:< ?i?frame ?src ?= ?(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/|(?:\\\\.add|\\\\@)import |asfunction\\\\:|background-image\\\\:|e(?:cma|xec)script|\\\\.fromcharcode|get(?:parentfolder|specialfolder)|\\\\.innerhtml|\\\\< ?input|(?:/|<) ?(?:java|live|j|vb)script!s| ..." at REQUEST_URI. [hostname "www.example.com"] [uri "/path1/path2/"] [unique_id "Xq....AE"]

Without the query string, however, this is not very helpful to be able to look up what the attack was or even to be able to change some of your parameters because false positive.
Is here a setting to add query string behind "[uri ...]"?
 
If I'm not mistaken, this is more a question for Atomic, not for Plesk. It's their ruleset.
 
You must log in or register to reply here.

Similar threads

lvalics
Download your Power Toys 4.8.0 version today ...
Replies
7
Views
4K
EhabH
E
Back
Top