Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Logging Complete Requests in Apache 2.2 and 2.4 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Logging Complete Requests in Apache 2.2 and 2.4

Apache has an interesting option to log complete requests, including the body of POST requests. The method has come in handy for honeypots. For a normal server, the logging is likely excessive (other then for debug purposes), and I do not think sensitive data can be masked like it mod_security.

The complete request logging uses the "mod_dumpio" module, which was introduced in Apache 2.2. In Apache 2.2, all you need to do is to enable the module, and set the log level:

DumpIOInput On
DumpIOLogLevel debug

In Apache 2.4, the logging system got revamped, and you now specify the log level per module using the LogLevel directive:

DumpIOInput On
LogLevel dumpio:trace7

​The logs will end up in your error log, and look like:

[Tue Apr 21 15:08:40.894950 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(63): [client 188.138.17.205:48510] mod_dumpio:  dumpio_in (data-HEAP): 26 bytes
[Tue Apr 21 15:08:40.894980 2015] [dumpio:trace7] [pid 15247] mod_dumpio.c(103): [client 188.138.17.205:48510] mod_dumpio:  dumpio_in (data-HEAP): GET /robots.txt HTTP/1.1\r\n

You can filter a particular request by greping for the client IP and port:

grep '188.138.17.205:48510' error.log

To make things more readable, I use this shell script (for the above log from 188.138.17.205 and port 48510)

grep '188.138.17.205:48510' error.log | cut -f8- -d':' | egrep -v ' [0-9]+ bytes$' | grep -v '^$' | cut -c2- | sed 's/\\r\\n//'

The output:

GET /robots.txt HTTP/1.1
Host: [redacted]:8080
Accept-Encoding: identity

The same module can also be used to log all output, which may come in handy to debug errors on SSL servers, but I haven't had a need to use that function yet.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3551 Posts
ISC Handler
This is great info. Very detailed. Thanks for sharing!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!