Hello,
Is posible to configure sensor for IIS?
I successfully configured modsecurity in windows and is working
Installed waf-fle in debian and is working
But cannot find a way to setup sensor for iis servers.

thanks.

When I try to add a source, it yields "A name is needed! ". I figured out that the variable Name was not being passed. This code has a lot of bugs, and it's highly unstable and unreliable... I appreciate the effort you put on this project but it's just painful to install, maintain and configure.

It would be nice to allow the user to pass the config file as an argument to mlog2waffle in case one wants to run multiple instances of mlog2waffle.

Hello,
I have a CentOS with
WAF-FLE Version: 0.6.4
APC Cache extension: Extension APCu (4.0.7) loaded, enabled and turned "on" in WAF-FLE
APC Cache Timeout: 30 seconds
PHP version: 5.5.28
PHP Zend Version: 2.5.0
MySQL Version: 5.5.45

When I try to create a sensor, I receive HTTP/1.1 500 Internal Server Error.
In the log file I have:
Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle_0.6.4/header.php:242) in /usr/local/waf-fle_0.6.4/functions.php on line 2502, referer: http://hide.me/waf-fle/management.php?New=Sensor

Any idea?

Thank you
Regards
Johny

Issues identified:

1. Alert uniqueid issued by Centos are 27 chars long instead of 24; throwing error

IPV6 not supported by now, sorry

Actions taken to fix:

• updated DB events.a_uniqid to support 27 chars
• modified /controller/index.php regex in phaseA from {24} to {27}

Solution suggested:

• modify waffle.sql definition for events.a_uniqid to CHAR(27) NOT NULL
• modify controller regex to either match 27 chars or to relax to any number of chars for compatibility with other OS (not sure on other types of systems what the length of the unique alert ID will be)

2. Missing default values for events.preserve and events.false_positive

Actions taken to fix:

• Alter DB fields to have default value 0

Solution suggested:

• modify waffle.sql to include DEFAULT '0' for the two fields under events table definition

3. For alerts which have no scoring (i.e. 400 Bad Request) the controller throws error that h_score_total, h_score_SQLi and h_score_XSS cannot be set to ""

Actions taken to fix:

• modify controller/index.php (around line 568) to set score to 0 instead of ""

if (!isset($PhaseH['Score']['In_Total']) || is_null($PhaseH['Score']['In_Total'])) {
$PhaseH['Score']['In_Total'] = "0"; //was ""
};
if (!isset($PhaseH['Score']['In_SQLi']) || is_null($PhaseH['Score']['In_SQLi'])) {
$PhaseH['Score']['In_SQLi'] = "0"; //was ""
};
if (!isset($PhaseH['Score']['In_XSS']) || is_null($PhaseH['Score']['In_XSS'])) {
$PhaseH['Score']['In_XSS'] = "0"; //was ""
};

Solution suggested:

• modify /controller/index.php to have defaults set to 0 instead of ""

After making the above changes the sensors started to correctly upload data to the Server.
Still getting some more 500 Internal Server Error messages but I did not identify what the reasons are.

In general, after probing with some sql injection, xss, etc, I am satisfied that I see the events in the waffle dashboard.

pls help me to solve this
[:error] [pid 34915] [client 192.168.100.10:51750] [client 192.168.100.10] ModSecurity: Audit log: Failed to create subdirectories: /var/log/mlogc/data/20180714/20180714-1714 (Permission denied) [hostname "192.168.100.26"] [uri "/.noindex.html"] [unique_id "W0nM78slVvAqGUJmnQuyNQAAAAQ"]

Dear All,

I see waf-fle as an useful tool to bring relevant informations from the logs to the user.
But version 0.6.4 can't handle IPv6 traffic.
Is there an idea to make this great tool IPv6 ready.
After all IPv6 is 20 years old.

Kind regards
Hans

centos, SElinux, apache 2.4, modescurity 2.9, php 7.22. Almost flawless install (some issues with selinux, but solved). Cannot create sensor. First error, "A name is needed!" even if the name was provided. In logs, lots of lines like this:
[Tue Oct 15 15:43:36.617918 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 176, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.618248 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 493, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.618592 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 433, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.618930 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 365, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.619226 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 399, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.619985 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 278, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.621339 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 542, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.621694 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 577, referer: https://www.itworks.ro/waf-fle/login.php
[Tue Oct 15 15:43:36.622006 2019] [php7:warn] [pid 32678] [client 193.230.189.1:63773] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 610, referer: https://www.itworks.ro/waf-fle/login.php

i tried another browser, i get "Internal server error". Since then, any browser i try, i get in logs:

[Tue Oct 15 15:44:05.985715 2019] [php7:warn] [pid 32617] [client 193.230.189.1:63810] PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle/header.php:74) in /usr/local/waf-fle/functions.php on line 2502, referer: https://www.itworks.ro/waf-fle/management.php?New=Sensor
[Tue Oct 15 15:44:05.985746 2019] [php7:warn] [pid 32617] [client 193.230.189.1:63810] PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle/header.php:74) in /usr/local/waf-fle/functions.php on line 2503, referer: https://www.itworks.ro/waf-fle/management.php?New=Sensor

PLEASE HELP :(

I can preserve events. But how can I find my preserverd events in database with thousands of events? It should be such a possibility for example in filter.

I cant get the setup.php page after I have input the URL:http://localhost/waf-fle/controller,which dispaly a blank page. the Apache2 access log like this.
192.168.9.250 - - [18/Mar/2015:14:28:05 +0800] "GET /waf-fle/controller/setup.php HTTP/1.1" 404 226

the error log:
[Wed Mar 18 14:28:05.048030 2015] [:error] [pid 23770:tid 140372944611072] [client 192.168.9.250:60006] script '/usr/local/waf-fle/controller/setup.php' not found or unable to stat

Dear All,

I installed waf-fle 0.6.4 on Debian 10 with Apache 2.4.38, php 7.3.19 and MySQL 8.0.20
When I open my Browser Chrome I see some empty areas in the HOME tab. But when I click on "EVENTS" I get an error "HTTP/1.1 500 Internal Server Error". In Apache error log there is

PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle_0.6.4/header.php:74) in /usr/local/waf-fle_0.6.4/functions.php on line 1536, referer: http://xxxxxxxxx/waf-fle/index.php

Nothing happens when I click on "FILTER".
MANAGEMENT shows Sensors, Users and Info. But when I try to edit a sensor I get this error 500 too. The error log in Apache is slightly different:

PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle_0.6.4/header.php:74) in /usr/local/waf-fle_0.6.4/functions.php on line 2503, referer: http://xxxxxxxxx/waf-fle/management.php?s&edit&sensor=1

But it includes always this "Cannot modify header information - headers already sent"

As I run waf-fle successfully more than 2 year on a different Debian server ( which does not exists anymore ) with Apache 2.4.10 and PHP 5.6.13 I thought it's maybe an issue of PHP 7. So I installed within a Docker container Apache 2.4.10 with PHP 5.6.40, because I couldn't find a container with the same PHP version. But with this combination I run into exactly the same issues.

Any ideas what to do ?

Kind regards
Hans

hello there ;-)

first of all thanks a lot for waf-fle!

installed it on an opensuse 13.1 box with apache 2.4.6, php 5.4.20 and modsecurity 2.6.7 with CRS 2.2.5

installed waf-fle according to the setup instructions and all went sort of fine, but when trying to create a sensor the following error come up. the sensor was created without the checkbox use client IP from header and an empty input field for that option

HTTP/1.1 500 Internal Server Error Error (saveSensor) Message: SQLSTATE[22007]: Invalid datetime format: 1366 Incorrect integer value: '' for column 'client_ip_via' at row 1 Error (saveSensor) getTraceAsString: #0 /srv/ssl/waffle/waffle/functions.php(2502): PDOStatement->execute() #1 /srv/ssl/waffle/waffle/dashboard/management.php(173): saveSensor('new', 'sensor', NULL, 'description', 1, '123456', false, NULL) #2 {main}

if i create a sensor and fill in ALL fields, an check the box use client IP from header with an input field value of X-Forwarded-For then no error triggers and the sensor is stored in the database ...

how can i fix this?

thanks & greetings
becki

I noticed that sometimes the mlog2waffle process stops sending events to the web interface. I would notice this by seeing 0 events in the interface past a certain point in time. The only way to get around this and get records flowing again was to delete the modsec logs, mlog2waffle data directory, and offset file.

Around line 526 of the Master branch, this code stops mlog2waffle from sending more events to the web interface.
} elsif ($MODE eq "batch" && $loop > 5 && $queue->pending() == 0) {

I believe this is happening when 5 events don't match the proceeding regular expression. I found this occurring on a regular basis in my logs, so I've increased the "$loop > 5" to a higher number (10 worked for me, but I've updated it to 99 just in case).

Hello,

Great work !
Is it compatible with modsecurity 2.7 ?

Type:ModSecurity Apache is mean :ModSecurity nginx is not work ?

It is possible to run WAF-FLE under IIS 8.5?

I have really big problem with showing Sensors page and with adding new sensor to waf-fle database. Cause of this problem is, that I have a tons of events in database. Actually I have 17 sensors with about 2 milions of events. When I click to Management link waf-fle counts events per each sensor from whole number of events in database. This is big problem for the database even when I have deployed waf-fle in distributed environment (separated waf-fle and database). While the counting is in progress mlog2waffle collectors are not able to send events to database, because of busy database server (perhaps). I will have about 80 sensors in the near future and probably about 500000 events per day (now it is about 100000 per day), so I need to solve this problem. Maybe the counting should not be performed automatically but instead administrator should have opportunity to count events per sensor if he wish.

When a rule_message is logged it uses the following SQL:

$sql_ruleMessage = 'INSERT IGNORE INTOrule_message(message_ruleId,message_ruleMsg) VALUES (:MessageRuleId2, :MessageMsg)';

So, the next time the same ruleId is used, it doesn't do anything but links to the existing rule and message. So, the 1st ruleMsg logged is the one that applies to that rule forever.

The problem with this is that some ruleMsg text changes per call, such as the inclusion of the source IP address e.g. Denial of Service (DoS) Attack Identified from x.x.x.x (y hits since last alert).

We can't do INSERT ... ON DUPLICATE KEY UPDATE because then the latest message will always be the one shown then.

when start service mlog2waffle, the apache send error 403 by modsecurity

Once I finish my waf-fle setup. I can't log in into the portal. which is http://xx.xx.com/waf-fle/login.php
it always says "Invalid Username or Password" how many times you entered. It only allows when you set up then once you sign out you can't login again.

Pls if anyone finds a solution for this let me know here.

I'm implementing on google cloud Debian.

hi @klaubert

would it be possible in feature to use mlog2waffle with nginx and php-fpm?

Hi,
when I install the mlog2waffle in the centOS7 using the yum install perl* command ,the error：
Error: Package: perl-Class-Accessor-0.31-6.1.el6.noarch (/perl-Class-Accessor-0.31-6.1.el6.noarch)
Requires: perl(:MODULE_COMPAT_5.10.1)
Error: Package: perl-File-Pid-1.01-2.el6.noarch (/perl-File-Pid-1.01-2.el6.noarch)
Requires: perl(:MODULE_COMPAT_5.10.1)
Error: Package: perl-File-Tail-0.99.3-8.el6.noarch (/perl-File-Tail-0.99.3-8.el6.noarch)
Requires: perl(:MODULE_COMPAT_5.10.1)
even if i using the rpm to install the perl-File-Pid and perl-File-Tail,the same error result.
the perl info:
[root@localhost mlog2waffle]# perl -v
This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux
Copyright 1987-2012, Larry Wall

Hi,

In /etc/modsecurity/modsecurity.conf file,
if I keep
'SecAuditLogType' as 'Serial'
then it is working fine and storing the logs.

But when I change it to 'Concurrent' mode it is not storing logs
(Note: I've uncommented the 'SecAuditLogStorageDir' )

Thankyou

Hi,

After setting all the values to event feeder wizard and changing configurations accordingly, how to save it to keep them persistent.

For me, they are being reset just after closing tab.

Thankyou.

Hi,
I am using ubuntu 16.4 for modsecurity 2.9. Now it is not working when i am using waf-fle tools for it.
When i add sensor, it is showing 503 error.
I am using latest version of Php 7.0. Is it OK or NOT

please help.

Hi @klaubert @dmitrijn ,
Do we have the version for the Nginx, I deploy the waf-fle to receive the log from the mosecurity on nginx. the data type of some fields are not for fit in the events table.
#0 /usr/local/waf-fle/controller/index.php(670): PDOStatement->execute()
#1 {main}pos2

exception 'PDOException' with message 'SQLSTATE[01000]: Warning: 1265 Data truncated for column 'a_client_ip_cc' at row 1' in /usr/local/waf-fle/controller/index.php:670

exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'f_content_length' at row 1' in /usr/local/waf-fle/controller/index.php:670

although I can get the data from the mlogc and write them in the events table, but I have change too many data types of events table, the data can not display in the event web page.

any advice is appreciated!

Hi

I have deploed the WAF-FLE to receive the log from the mlogc. now I can get the data,but the column of Rules Alert in Events is blank and the Top Rules in HOME is also blank,I can get event from "the RAW Transaction download". any advice is appreicated!

--b1afcb61-A--
[10/Apr/2015:10:01:26 +0800] A1GcccAJA6AdjXAcAcGcAckc 192.168.1.250 56581 127.0.0.1 80
--b1afcb61-B--
GET /uploadfiles/member/ HTTP/1.1
Host: www.352.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: image/png,image/;q=0.8,/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.352.com/harborII/harborCoRequireAction!queryCooperateRequires.dox
Cookie: JSESSIONID=;
Connection: keep-alive

--b1afcb61-E--

403 Forbidden

--b1afcb61-F--
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Content-Length: 162
Connection: keep-alive

--b1afcb61-K--
SecAction "phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"

SecAction "phase:1,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"

SecAction "phase:1,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass"

SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"

SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass"

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"

SecRule "&TX:REAL_IP" "@eq 0" "phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"

--b1afcb61-Z--

There is problem with handling auditlog event with "PCRE limit exceeded" message. This message is not parsed and in the console is blank "Rules Alert" column (see attached screenshot).

--7ce28b56-H--
Message: Rule 7ffe2d89f328 [id "981252"][file "/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "231"] - Execution error - PCRE limits exceeded (-8): (null).
Apache-Handler: application/x-httpd-php
Stopwatch: 1393227138277910 742201 (- - -)
Stopwatch2: 1393227138277910 742201; combined=37219, p1=254, p2=36799, p3=3, p4=143, p5=19, sr=77, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.8 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
WebApp-Info: "some" "-" "-"

After I click the upgrade database buttom, which display the following error info:
WAF-FLE 0.6 Setup

Database created successfully.
Starting to import old data. Please be patient...
There are 0 events in old database.

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'a_full' in 'field list'

I find that there have the column 'a_full' in the table events_full_sections, how to deal with it?

hello there again,

when mlogc tries to send its data to the waf-fle controler i get the following sql errors:

Error (insert events) Message: SQLSTATE[HY000]: General error: 1364 Field 'preserve' doesn't have a default value

Error (insert events) getTraceAsString: #0 /srv/ssl/waffle/waffle/controller/index.php(670): PDOStatement->execute()
#1 {main}

Error (insert events) Message: SQLSTATE[HY000]: General error: 1364 Field 'false_positive' doesn't have a default value

Error (insert events) getTraceAsString: #0 /srv/ssl/waffle/waffle/controller/index.php(670): PDOStatement->execute()
#1 {main}

if i then edit the database structure and add a default value for those fields, then the next error shows up:

Error (insert events) Message: SQLSTATE[22007]: Invalid datetime format: 1366 Incorrect integer value: '' for column 'h_apache_error_line' at row 1

Error (insert events) getTraceAsString: #0 /srv/ssl/waffle/waffle/controller/index.php(670): PDOStatement->execute()
#1 {main}

i'm using the latest waf-fle version 0.6.4. on an opensuse 13.1 with php 5.4.20 apache 2.4.6 modsecurity 2.6.7 and crs 2.2.5 and mysql with maria db 5.5.33

any help on fixing this and getting mlogc to store its data inside waf-fle would me more than awesome ;-)

thanks for waf-fle and for your help & time

greetings
becki

The documentation does not say. How do I prevent the MariaDB database from growing infinitely? Is there a way to limit the number of events stored, such as "Only keep a month's worth of data?"

when I add a new sensor, after I have input the necessary value in field. I can get the error info :HTTP/1.1 500 Internal Server Error,but the I can't get the error log int he ERROR_LOG.

any advice is appreciated

Hi,

I'm using 'mlogc' in 'Piped mode'.

Logs are getting stored in 'SecAuditLogStorageDir' but not forwarding to 'waffle' database.

Any suggestion will be helpful.

Thankyou.

Hi ! I've spent 2 days trying to get my mlogc to Waf-fle(Nginx+php-fpm) working but no way :(

The farest I've reached, I've met this 405 response code.

My config 🎱
.................................................................................................
Client-sensor side:
.................................................................................................

Relevant mlogc.conf

CollectorRoot "/usr/local/apache/logs/mlogc"
ConsoleURI "http://waffle.mydomain.net:81/controller/"
SensorUsername "sensorXX"
SensorPassword "mypasswd"

Relevant modsec conf

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIDEFGHZ
SecAuditLogType Concurrent
SecAuditLogStorageDir /usr/local/apache/logs/mlogc/data
SecDebugLogLevel 3
SecAuditLog logs/modsec_audit.log

modsec pushed to mlogc by cron

*/5 * * * * /usr/local/sbin/push-mlogc.sh > /tmp/mlog.log 2>&1

.................................................................................................
Server Waf-fle side:
.................................................................................................

mysql -e "select * from sensors;" waffle
+-----------+-------+----------+--------------+-------------+------+---------+---------------+------------------+
| sensor_id | name | password | IP | description | type | status | client_ip_via | client_ip_header |
+-----------+-------+----------+--------------+-------------+------+---------+---------------+------------------+
| 1 | sensorXX | mypasswd | x.y.z.w | cp500 | 1 | Enabled | 1 | x.y.z.w |
+-----------+-------+----------+--------------+-------------+------+---------+---------------+------------------+

The collecting takes place each 5minutes (as cron shows)

And server wafle shows then multiple :::

"PUT /controller/ HTTP/1.1" 405 172 "-" "-"

And Sendor-side shows at debug level log :::

[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Date: Tue, 19 May 2015 14:35:02 GMT
[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Content-Type: text/html
[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Content-Length: 172
[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN Connection: keep-alive
[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: HEADER_IN
[Tue May 19 16:35:07 2015] [5] [538981/7fbd00000ed0] CURL: DATA_IN
[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] CURL: Connection #0 to host waffle.mydomain.net left intact
[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] Request returned with status "405 Not Allowed": VVlAPiU7H6oAClzXTzMAAAAB
[Tue May 19 16:35:07 2015] [2] [538981/7fbd00000ed0] Flagging server as errored after failure to submit entry VVlAPiU7H6oAClzXTzMAAAAB with HTTP response code 405: Not Allowed
[Tue May 19 16:35:07 2015] [4] [538981/7fbd00000ed0] Sleeping for 50 msec.

........I am completely dumb and unable to get it working :(

After I click the upgrade database buttom, which display the following error info:
WAF-FLE 0.6 Setup

Database created successfully.
Starting to import old data. Please be patient...
There are 0 events in old database.

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'a_full' in 'field list'

How to deal with it?

I was wondering if it would be possible to implement logwatch like reporting in waf-fle. I would find it great if a report was sent by email daily containing a summary of the daily events. Waf-fle is great but requires someone to log in regularly. Some of the features I would like to see are:

1. The summary to be sent by email to specific email addresses(configurable).
2. The summary to contain the info that is gathered in the home page of waf-fle
3. The summary to be configurable
4. User contributed summaries. Maybe we can write summaries, (SQL, PHP) and contribute them to the community. This way each user can have the reports he wants without bothering the developer.

I believe it is not easy to have normal logwatch scripts from the server mod_security is running, because logs are not stored in a single file. I think setting SecAuditLogType Concurrent in mod_security is a requirement for waf-fle so extracting summaries is not easy from the server. Apart from that, in waf-fle it is easy to have summaries from multiple sensors that could be very important.

Do you think you could implement this feature or at least create the API for us to write our own summaries (even in PHP)? Would it be easy for me to implement it without modifying you core code?

Thanks in advance
Panagiotis

When I define filter for IP address without netmask or the netmask is 32, filter do what it should to do, so I can see only events related to this IP. But when I define IP with netmask (for example 192.168.1.0/24) filter doesn't do what it should to do. I can see a lot of other IP addresses outside the defined network in the output. I tried debug, but I couldn't see any problems. I am not able to localize problem in the code. Everything seems to be OK. Need help.

Klaubert, could you publish roadmap for waf-fle. I think everybody, who is interested in waf-fle, wants to know for what we can look forward. I appreciate your work on this great piece of software, but it should be nice to know what is planned to the future. Maybe someone can help you.

What steps will reproduce the problem?
1.Install waf-fle and MySQL server to same machine (VM).
2.Access remotely from other machine.
3.Do the setup normally.
4.Try to login.

I'm expect the login page to open but instead the server gives me a HTTP 500 error like this one ($Debug = true;):

HTTP/1.1 500 Internal Server Error Error (DatabaseVersion) Message: SQLSTATE[42S02]: Base table or view not found: 1146 Table 'waffle.version' doesn't exist Error (DatabaseVersion) getTraceAsString: #0 /opt/waf-fle/functions.php(135): PDO->prepare('SELECT `waffle_...') #1 /opt/waf-fle/dashboard/login.php(20): require_once('/opt/waf-fle/fu...') #2 {main} Error in database query!

I'm using the version 0.6.4 in a Debian Jessie machine (VM). And accessing remotelly form a Debian Jessie machine.

Since it was a database error, I went to check the databases. It came out that there were no tables in waffle database. The setup was not creating the tables, only the database. I tried the setup with the root login a pass. For the client IP I tried with localhost and with the machines IP I was accessing remotely with.

I had a Centos 7
Waf-Fle version 0.6.4
Mysql version 5.6.38

I had create Waf-fle yesterday and it was fine but when i want to create a sensor which i did not create any sensor for waf-fle then i was found this error:
HTTP/1.1 500 Internal Server Error Error (saveSensor) Message: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'client_ip_via' at row 1 Error (saveSensor) getTraceAsString: #0 /usr/local/waf-fle/functions.php(2500): PDOStatement->execute() hashtagsimbol1 /usr/local/waf-fle/dashboard/management.php(173): saveSensor('new', 'Waf-test', '192.168.26.23', 'test3', 1, 'waftest123', false, NULL) hashtagsimbol2 {main}

Can you help me with that please? @klaubert
Thanks :)
Best regard

I've try to diagnosed the issue and the string get stucked at:

https://github.com/klaubert/waf-fle/blob/master/controller/index.php
Line 85

Phase A
if (preg_match('/^--[a-f0-9]+-[BCEFHIKZ]--$/i', trim($BODY[$line]))) {
break;
}

This is my $BODY[$line]

-bdc00616-A--
[12/Aug/2015:00:18:29 +0800] VcogVUWrijQmSCa2jQ1Z-AAAAAs 2.2.2.2 62315 1.1.1.1 80
--bdc00616-B--

I have no problem with other apache server and have installed 8 sensors without any problem.
This is a sample of a success $BODY[$line]

--7a8d2675-A--
[12/Aug/2015:00:18:55 +0800] VcogbX8AAAEAACdPb4wAAAAE 2.2.2.2 55002 1.1.1.1 80
--7a8d2675-B--

Working On : Apache/2.2.15 (CentOS)
Not Working On : Apache/2.4.6 (CentOS)

Dear,

I'm having problems with "/controller".

It is giving unauthorized access. code 403.

Below is the permission in the directory.

Help?

Hi All,
I have installed the waf-fle in a server. So I can vist the http://192.168.9.162/waf-fle/login.php, I have got the following info after config the sensor.

-- Audit log configuration -------------------------------------------------

Log the transactions that are marked by a rule, as well as those that

trigger a server error (determined by a 5xx or 4xx, excluding 404,

level response status codes).

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

Log everything we know about a transaction.

SecAuditLogParts ABIDEFGHZ
SecAuditLogType Concurrent
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
->The value that I have changed in the Modsecurity.conf according the folder which the mlogc installed

Specify the path for concurrent audit logging.

SecAuditLogStorageDir /log/modsecurity/data

... Continue with your current modsecurity.conf

Using the following command to inactive the mlogc:
./mlogc-batch-load.pl /log/modsecurity/data /usr/local/modsecurity/bin/mlogc /etc/mlogc.conf

The erro info in the error mlogc-error.log :

[Wed Jan 28 08:58:25 2015] [3] [30569/0] Configuring ModSecurity Audit Log Collector 2.9.0-RC2.
[Wed Jan 28 08:58:25 2015] [3] [30569/0] Delaying execution for 5000ms.
[Wed Jan 28 08:58:32 2015] [3] [30569/0] Loaded 10948 entries from the queue file.
[Wed Jan 28 08:58:32 2015] [2] [30569/7f8d140009c0] Invalid entry (failed to match regex): SZ-TEST-RD01 192.168.1.250 - - [19/Jan/2015:17:08:19 +0800] "POST /communication/getPartnerInfo.do HTTP/1.1" - 186 "http://www.352.com/\" "-" AcAcAcJJkcAcAcA1A@AcMcAg "-" /20150119/20150119-1708/20150119-170819-AcAcAcJJkcAcAcA1A@AcMcAg 0 1576 md5:90f7408c67e767c785a7c36f4cf4cb72
[Wed Jan 28 08:58:32 2015] [2] [30569/7f8d140009c0] Invalid entry (failed to match regex): SZ-TEST-RD01 192.168.1.250 - - [19/Jan/2015:17:12:37 +0800] "POST /communication/getPartnerInfo.do HTTP/1.1" - 186 "http://www.352.com/information/financing_list.jsp?type=%E8%B5%84%E4%BA%A7&typeName=%E6%94%B6%E8%B4%B9%E6%9D%83\" "-" AcocAcbc6cAcKcAyAcAcAcAc "-" /20150119/20150119-1712/20150119-171237-AcocAcbc6cAcKcAyAcAcAcAc 0 1710 md5:274199c512e5a369bc2139bacc073bb7
[Wed Jan 28 08:58:32 2015] [2] [30569/7f8d140009c0] Invalid entry (failed to match regex): SZ-TEST-RD01 192.168.1.250 - - [19/Jan/2015:17:12:37 +0800] "POST /common/memberLogin.jsp HTTP/1.1" - 186 "http://www.352.com/information/financing_list.jsp?type=%E8%B5%84%E4%BA%A7&typeName=%E6%94%B6%E8%B4%B9%E6%9D%83\" "-" Acac@cABAcjxAsAcBcAcjcAc "-" /20150119/20150119-1712/20150119-171237-Acac@cABAcjxAsAcBcAcjcAc 0 1781 md5:62fc43657f77210ec82b415784430155
[Wed Jan 28 08:58:32 2015] [2] [30569/7f8d140009c0] Invalid entry (failed to match regex): SZ-TEST-RD01 192.168.1.250 - - [19/Jan/2015:17:12:13 +0800] "POST /communication/getPartnerInfo.do HTTP/1.1" - 186 "http://www.352.com/\" "-" AnAcAcAyAcAcAcAwAcAcAhA5 "-" /20150119/20150119-1712/20150119-171213-AnAcAcAyAcAcAcAwAcAcAhA5 0 1599 md5:45b812fe3048c79a14b4524d7e4976c9
[Wed Jan 28 08:58:32 2015] [2] [30569/7f8d140009c0] Invalid entry (failed to match regex): SZ-TEST-RD01 192.168.1.250 - - [19/Jan/2015:17:12:12 +0800] "POST /common/memberLogin.jsp HTTP/1.1" - 186 "http://www.352.com/\" "-" A6pcIpAcAcAcApAcAcAcAcAc "-" /20150119/20150119-1712/20150119-171212-A6pcIpAcAcAcApAcAcAcAcAc 0 1433 md5:1ea05ec580f1d19564908088138d47ed
[Wed Jan 28 08:58:33 2015] [2] [30569/7f8d14000ae0] Flagging server as errored after failure to submit entry AcJcAc9cAcAcAcAcAbAcAcAc with HTTP response code 403: Forbidden
[Wed Jan 28 08:58:33 2015] [2] [30569/7f8d14000c90] Flagging server as errored after failure to submit entry lcAcAcAcAcAcAcAcAcAcAcWc with HTTP response code 403: Forbidden
[Wed Jan 28 08:58:33 2015] [2] [30569/7f8d14000e40] Flagging server as errored after failure to submit entry AcAcJcAcAcAcAXgcAcAcAcAc with HTTP response code 403: Forbidden
[Wed Jan 28 08:58:33 2015] [2] [30569/7f8d14000ed0] Flagging server as errored after failure to submit entry AcZcAcAGAcArAeAcAcAcAcAc with HTTP response code 403: Forbidden
[Wed Jan 28 08:58:33 2015] [2] [30569/7f8d140009c0] Flagging server as errored after failure to submit entry AcAcAcAwActcAMAcAUAcAcAc with HTTP response code 403: Forbidden
[Wed Jan 28 08:58:33 2015] [3] [30569/0] No more data to read, emptying buffer: End of file found
[Wed Jan 28 08:58:33 2015] [3] [30569/7f8d206d4158] Running final transaction checkpoint.
[Wed Jan 28 08:58:33 2015] [3] [30569/0] ModSecurity Audit Log Collector 2.9.0-RC2 terminating normally.

1 We deployed the ModSecurity as the component of the Nginx, Can we use the mlog2waffle push the the log from Modesecurity to WAF-FLE?
2 What does the sensor mean? the sensor is mean the ModSecurity?
3 The mlog2waffle should deployed with the ModSecurity in the same server?

In the Readme file is written, that APC is supported. But waf-fle is not working without APC installed in the system. So I'd suggest to put APC to requirements for installation or to adjust code so APC functions will not be used when APC is turned off by configuration file.

I have installed new Modsecurity 2.8. Everything is fine but parsing of some events is problem. I use CRS/2.2.9 ruleset with libinjection rules for XSS and SQLi detection backported from CRS3.0.0_dev ruleset. Parsing messages with detected XSS message is correct, but message with SQLi detected is problem. I am not able to change message format. Message format is hardcoded to modsec.

There is one sample not parsed message:
Message: detected SQLi using libinjection with fingerprint '1c' [file "/opt/ms/custom.conf"] [line "97"] [id "981261"] [rev "1"] [msg "SQL Injection Attack Detected via LibInjection"] [data "Matched Data: 1c found within REQUEST_COOKIES:searchParams: 0--SBPtS-y3nBHog"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [tag "https://libinjection.client9.com/"]

I think there is one important change in this message over other messages. There is missing dot after message before [file part. I noticed from the code, that collector parser is dependent on that missing dot.

Snippet of correct parsed message witx XSS detected via libinjection
Message: detected XSS using libinjection. [file .....

Some improvement to the parser is needed regarding new versions of Modsecurity (>2.7.4).

Hi,

I have implemented a new WAF-FLE installation on one of our servers to intergrate it with ModSecurity, but when I try to create a new sensor for the first time, I got the below error:

`
[Sun Nov 03 19:19:21.241230 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 1696, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.242690 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 176, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.242948 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 493, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.243329 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 433, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.243583 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 365, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.243815 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 399, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.244395 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/local/waf-fle/functions.php on line 278, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.244576 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle/header.php:74) in /usr/local/waf-fle/functions.php on line 1535, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:21.244587 2019] [php7:warn] [pid 26166] [client 196.135.12.73:28184] PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle/header.php:74) in /usr/local/waf-fle/functions.php on line 1536, referer: http://0.0.0.0/waf-fle/login.php

[Sun Nov 03 19:19:54.022040 2019] [php7:warn] [pid 26174] [client 196.135.12.73:28226] PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle/header.php:74) in /usr/local/waf-fle/functions.php on line 2502, referer: http://0.0.0.0/waf-fle/management.php?New=Sensor

[Sun Nov 03 19:19:54.022066 2019] [php7:warn] [pid 26174] [client 196.135.12.73:28226] PHP Warning: Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle/header.php:74) in /usr/local/waf-fle/functions.php on line 2503, referer: http://0.0.0.0/waf-fle/management.php?New=Sensor

/var/log/apache2# Cannot modify header information - headers already sent by (output started at /usr/local/waf-fle/header.php:74) in /usr/local/waf-fle/functions.php on line 2503, referer: http://0.0.0.0/waf-fle/management.php?New=Sensor
`

My audit files do not match the format expected by waf-fle, they look like:

--74465f2d-A--
[30/Jun/2016:09:48:26 +0200] V3TOycCW2-NlccywEUMUtwAAABU 172.24.30.6 57673 172.24.30.6 80
--74465f2d-B--

While they look like this on another system (Ubuntu) with version 2.7.7:

--48598751-A--
[30/Jun/2016:10:20:47 +0200] V3TWXwoAKl4AAAeZgZMAAADu 180.76.15.158 60268 10.0.42.111 11180
--48598751-B--

This prevents this line from matching and makes the controller return IPv6 not supported by now, sorry.

I just changed the expected length of the ID (from 24 to 27) and I guess you should make the regex less restrictive. Here is the diff I applied locally.

diff --git a/controller/index.php b/controller/index.php
index 5eb228d..2923253 100644
--- a/controller/index.php
+++ b/controller/index.php
@@ -85,7 +85,8 @@ while ( $line < $BodySize) {
             if (preg_match('/^\-\-[a-f0-9]+\-[BCEFHIKZ]\-\-$/i', trim($BODY[$line]))) {
                 break;
             } else {
-                if (preg_match('/^\[(\d{1,2})\/(\w{3})\/(\d{4})\:(\d{2}\:\d{2}\:\d{2})\s(\-\-\d{4}|\+\d{4})\]\s([a-zA-Z0-9\-\@]{24})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})/i',
+                if (preg_match('/^\[(\d{1,2})\/(\w{3})\/(\d{4})\:(\d{2}\:\d{2}\:\d{2})\s(\-\-\d{4}|\+\d{4})\]\s([a-zA-Z0-9\-\@]{27})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})\s([12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2})\s(\d{1,5})/i',
+
             trim($BODY[$line]), $matchesA)) {
                     $PhaseA['Day'] = $matchesA[1];
                     $months        = array(null, 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');

When attacker tries bad thing on your web server and he does more then about 2000 requests and each with unique Host header, he is able to cause filter page malfunction that can be categorized as DoS attack against waf-fle. Try imagine, that attacker sends ten thousand requests and each request will have unique value. Filter page is generated via filter.php script which generates list of unique hostnames and their id's to the page. In such situation there will be generated page with many more then 10000 lines. For example firefox or chrome won't process such huge page (they strip page after about 2000th line with html comment because of security reasons), and you will be able see only part of the filter page (up to Sensor field).
So some improvements are needed. Changing way how the hostnames are pulled from the database will be desirable. For example it should be better choice to let user to input hostname instead choosing from the list, but I have no idea now how to do it when filter is transforming the hostname to id.

Hi,
thanks a lot to anyone would read and even more to anyone would answer.
I am facing issues with waf-fle controller sending http response code 500 but i don't understand why.
Most of the entries my logc is sending to waf-fle (thanks to a crontab entry and thanks to mlogc-batch-load.pl) are correctly processed.

But for some entries it fails. Here is what i can see in the mlogc-error.log file for such failing entry:

[Wed Nov 18 15:52:52 2015] [3] [27488/0] Configuring ModSecurity Audit Log Collector 2.7.2.
[Wed Nov 18 15:52:52 2015] [3] [27488/0] Delaying execution for 5000ms.
[Wed Nov 18 15:52:57 2015] [3] [27488/0] No more data to read, emptying buffer: End of file found
[Wed Nov 18 15:52:57 2015] [3] [27488/0] Waiting for queue to empty (1 active).
[Wed Nov 18 15:52:57 2015] [2] [27488/7f61bae39100] Flagging server as errored after failure to submit entry VknMSwoVAlIAAJQPqggAAAMf with HTTP response code 500: Internal Server Error
[Wed Nov 18 15:52:58 2015] [3] [27488/7f61bae67118] Running final transaction checkpoint.
[Wed Nov 18 15:52:58 2015] [3] [27488/0] ModSecurity Audit Log Collector 2.7.2 terminating normally.

Then i went on the apache/waf-fle side, set the apache LogLevel to maximum level i know (trace 8) then re-processed the failing entry and here is what i have in the apache log;

[Wed Nov 18 15:32:30.910135 2015] [http:trace4] [pid 12541] http_request.c(301): [client 10.21.2.82:37882] Headers received from client:
[Wed Nov 18 15:32:30.910136 2015] [http:trace4] [pid 12543] http_request.c(301): [client 10.21.2.82:37883] Headers received from client:
[Wed Nov 18 15:32:30.910227 2015] [http:trace4] [pid 12541] http_request.c(305): [client 10.21.2.82:37882] Authorization: Basic d2ViMDY6d2FmZmxl
[Wed Nov 18 15:32:30.910244 2015] [http:trace4] [pid 12543] http_request.c(305): [client 10.21.2.82:37883] Authorization: Basic d2ViMDY6d2FmZmxl
[Wed Nov 18 15:32:30.910246 2015] [http:trace4] [pid 12541] http_request.c(305): [client 10.21.2.82:37882] Host: 10.21.0.87
[Wed Nov 18 15:32:30.910255 2015] [http:trace4] [pid 12543] http_request.c(305): [client 10.21.2.82:37883] Host: 10.21.0.87
[Wed Nov 18 15:32:30.910259 2015] [http:trace4] [pid 12541] http_request.c(305): [client 10.21.2.82:37882] Accept: /
[Wed Nov 18 15:32:30.910264 2015] [http:trace4] [pid 12543] http_request.c(305): [client 10.21.2.82:37883] Accept: /
[Wed Nov 18 15:32:30.910267 2015] [http:trace4] [pid 12541] http_request.c(305): [client 10.21.2.82:37882] X-Content-Hash: md5:a114d59967993c29317814d5592a818a
[Wed Nov 18 15:32:30.910271 2015] [http:trace4] [pid 12543] http_request.c(305): [client 10.21.2.82:37883] X-Content-Hash: md5:a114d59967993c29317814d5592a818a
[Wed Nov 18 15:32:30.910276 2015] [http:trace4] [pid 12541] http_request.c(305): [client 10.21.2.82:37882] X-ForensicLog-Summary: chgva-srv-web06 10.21.26.42 - - [16/Nov/2015:13:30:47 +0100] "GET /images/aqua_send_btn_off.gif HTTP/1.1" 200 208 "http://members/css/mscnet3_aqua.css\" "-" VknMSwoVAlIAAJQPqggAAAMf "-" /20151116/20151116-1330/20151116-133033-VknMSwoVAlIAAJQPqggAAAMf 0 4078 md5:a114d59967993c29317814d5592a818a
[Wed Nov 18 15:32:30.910281 2015] [http:trace4] [pid 12543] http_request.c(305): [client 10.21.2.82:37883] X-ForensicLog-Summary: chgva-srv-web06 10.21.26.42 - - [16/Nov/2015:13:30:47 +0100] "GET /images/aqua_send_btn_off.gif HTTP/1.1" 200 208 "http://members/css/mscnet3_aqua.css\" "-" VknMSwoVAlIAAJQPqggAAAMf "-" /20151116/20151116-1330/20151116-133033-VknMSwoVAlIAAJQPqggAAAMf 0 4078 md5:a114d59967993c29317814d5592a818a
[Wed Nov 18 15:32:30.910286 2015] [http:trace4] [pid 12541] http_request.c(305): [client 10.21.2.82:37882] Content-Length: 4078
[Wed Nov 18 15:32:30.910290 2015] [http:trace4] [pid 12543] http_request.c(305): [client 10.21.2.82:37883] Content-Length: 4078
[Wed Nov 18 15:32:30.910507 2015] [authz_core:debug] [pid 12541] mod_authz_core.c(802): [client 10.21.2.82:37882] AH01626: authorization result of Require all granted: granted
[Wed Nov 18 15:32:30.910520 2015] [authz_core:debug] [pid 12541] mod_authz_core.c(802): [client 10.21.2.82:37882] AH01626: authorization result of : granted
[Wed Nov 18 15:32:30.910519 2015] [authz_core:debug] [pid 12543] mod_authz_core.c(802): [client 10.21.2.82:37883] AH01626: authorization result of Require all granted: granted
[Wed Nov 18 15:32:30.910529 2015] [core:trace3] [pid 12541] request.c(293): [client 10.21.2.82:37882] request authorized without authentication by access_checker_ex hook: /waf-fle/controller/
[Wed Nov 18 15:32:30.910535 2015] [authz_core:debug] [pid 12543] mod_authz_core.c(802): [client 10.21.2.82:37883] AH01626: authorization result of : granted
[Wed Nov 18 15:32:30.910544 2015] [core:trace3] [pid 12543] request.c(293): [client 10.21.2.82:37883] request authorized without authentication by access_checker_ex hook: /waf-fle/controller/
[Wed Nov 18 15:32:30.910618 2015] [authz_core:debug] [pid 12541] mod_authz_core.c(802): [client 10.21.2.82:37882] AH01626: authorization result of Require all granted: granted
[Wed Nov 18 15:32:30.910642 2015] [authz_core:debug] [pid 12543] mod_authz_core.c(802): [client 10.21.2.82:37883] AH01626: authorization result of Require all granted: granted
[Wed Nov 18 15:32:30.910665 2015] [authz_core:debug] [pid 12541] mod_authz_core.c(802): [client 10.21.2.82:37882] AH01626: authorization result of : granted
[Wed Nov 18 15:32:30.910670 2015] [authz_core:debug] [pid 12543] mod_authz_core.c(802): [client 10.21.2.82:37883] AH01626: authorization result of : granted
[Wed Nov 18 15:32:30.910673 2015] [core:trace3] [pid 12541] request.c(293): [client 10.21.2.82:37882] request authorized without authentication by access_checker_ex hook: /waf-fle/controller/index.php
[Wed Nov 18 15:32:30.910678 2015] [core:trace3] [pid 12543] request.c(293): [client 10.21.2.82:37883] request authorized without authentication by access_checker_ex hook: /waf-fle/controller/index.php
[Wed Nov 18 15:32:30.926040 2015] [http:trace3] [pid 12541] http_filters.c(979): [client 10.21.2.82:37882] Response sent with status 500, headers:
[Wed Nov 18 15:32:30.926124 2015] [http:trace5] [pid 12541] http_filters.c(986): [client 10.21.2.82:37882] Date: Wed, 18 Nov 2015 14:32:30 GMT
[Wed Nov 18 15:32:30.926134 2015] [http:trace5] [pid 12541] http_filters.c(989): [client 10.21.2.82:37882] Server: Apache/2.4.7 (Ubuntu)
[Wed Nov 18 15:32:30.926147 2015] [http:trace4] [pid 12541] http_filters.c(808): [client 10.21.2.82:37882] X-Powered-By: PHP/5.5.9-1ubuntu4.14
[Wed Nov 18 15:32:30.926156 2015] [http:trace4] [pid 12541] http_filters.c(808): [client 10.21.2.82:37882] Status: 500
[Wed Nov 18 15:32:30.926165 2015] [http:trace4] [pid 12541] http_filters.c(808): [client 10.21.2.82:37882] Content-Length: 37
[Wed Nov 18 15:32:30.926180 2015] [http:trace4] [pid 12541] http_filters.c(808): [client 10.21.2.82:37882] Connection: close
[Wed Nov 18 15:32:30.926199 2015] [http:trace4] [pid 12541] http_filters.c(808): [client 10.21.2.82:37882] Content-Type: text/html
[Wed Nov 18 15:32:30.928665 2015] [http:trace3] [pid 12543] http_filters.c(979): [client 10.21.2.82:37883] Response sent with status 500, headers:
[Wed Nov 18 15:32:30.928785 2015] [http:trace5] [pid 12543] http_filters.c(986): [client 10.21.2.82:37883] Date: Wed, 18 Nov 2015 14:32:30 GMT
[Wed Nov 18 15:32:30.928801 2015] [http:trace5] [pid 12543] http_filters.c(989): [client 10.21.2.82:37883] Server: Apache/2.4.7 (Ubuntu)
[Wed Nov 18 15:32:30.928821 2015] [http:trace4] [pid 12543] http_filters.c(808): [client 10.21.2.82:37883] X-Powered-By: PHP/5.5.9-1ubuntu4.14
[Wed Nov 18 15:32:30.928861 2015] [http:trace4] [pid 12543] http_filters.c(808): [client 10.21.2.82:37883] Status: 500
[Wed Nov 18 15:32:30.928872 2015] [http:trace4] [pid 12543] http_filters.c(808): [client 10.21.2.82:37883] Content-Length: 37
[Wed Nov 18 15:32:30.928880 2015] [http:trace4] [pid 12543] http_filters.c(808): [client 10.21.2.82:37883] Connection: close
[Wed Nov 18 15:32:30.928888 2015] [http:trace4] [pid 12543] http_filters.c(808): [client 10.21.2.82:37883] Content-Type: text/html

We effectively the status code=500 but no clue about why...

In case it would help here is the failing entry:

root webxx modsec_audit2 # more /tmp/modsec_audit2/20151116/20151116-1330/20151116-133033-VknMSwoVAlIAAJQPqggAAAMf
--b5e5e93b-A--
[16/Nov/2015:13:30:47 +0100] VknMSwoVAlIAAJQPqggAAAMf 10.21.26.42 65343 10.21.2.82 80
--b5e5e93b-B--
GET /images/aqua_send_btn_off.gif HTTP/1.1
Host: myhostfake
Connection: keep-alive
Accept: image/webp,/;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.23
57.134 Safari/537.36
Referer: http://myhostfake/css/mscnet3_aqua.css
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: style=mscnet3_aqua; fontsize=100
X-Forwarded-For: 10.21.26.42

--b5e5e93b-F--
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 03 Aug 2015 20:22:26 GMT
Accept-Ranges: bytes
Content-Length: 208
Cache-Control: no-cache, no-store
Vary: Accept-Encoding,Cookie,Keep-Alive
Keep-Alive: timeout=10, max=63
Connection: Keep-Alive
Content-Type: image/gif

--b5e5e93b-H--
Message: Failed deleting collection (name "ip", key "10.21.26.245_f89688380f162addd43fa6ff3e64dda3e89
224c5"): Internal error
Stopwatch: 1447677003975698 43899029 (- - -)
Stopwatch2: 1447677003975698 43899029; combined=806633, p1=1177, p2=0, p3=0, p4=0, p5=402730, sr=109,
sw=1, l=0, gc=402725
Producer: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.7.
Server: Apache/2.2.22 (Ubuntu) PHP/5.4.21 mod_ssl/2.2.22 OpenSSL/1.0.1

--b5e5e93b-K--
SecAction "phase:1,auditlog,id:691,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_
score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"

SecAction "phase:1,auditlog,id:9002,t:none,setvar:tx.inbound_anomaly_score_level=10,nolog,pass"

SecAction "phase:1,auditlog,id:9003,t:none,setvar:tx.outbound_anomaly_score_level=4,nolog,pass"

SecAction "phase:1,auditlog,id:9004,t:none,setvar:tx.anomaly_score_blocking=on,nolog,pass"

SecAction "phase:1,auditlog,id:9006,t:none,setvar:tx.max_num_args=255,nolog,pass"

SecAction "phase:1,auditlog,id:9007,t:none,setvar:tx.arg_name_length=100,nolog,pass"

SecAction "phase:1,auditlog,id:9008,t:none,setvar:tx.arg_length=400,nolog,pass"

SecAction "phase:1,auditlog,id:9009,t:none,setvar:tx.total_arg_length=64000,nolog,pass"

SecAction "phase:1,auditlog,id:900012,t:none,setvar:'tx.allowed_methods=GET POST',setvar:tx.allowed_r
equest_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|ap
plication/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:
'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com
/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc
/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .s
ql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-C
onnection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass"

SecAction "phase:1,auditlog,id:900014,t:none,setvar:'tx.brute_force_protected_urls=/login.jsp /partne
r_login.php',setvar:tx.brute_force_burst_time_slice=60,setvar:tx.brute_force_counter_threshold=10,set
var:tx.brute_force_block_timeout=300,nolog,pass"

SecAction "phase:1,auditlog,id:900015,t:none,setvar:tx.dos_burst_time_slice=60,setvar:tx.dos_counter_
threshold=300,setvar:tx.dos_block_timeout=600,nolog,pass"

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,auditlog,id:900018,t:none,t:sha1,t:hexEnco
de,setvar:tx.ua_hash=%{matched_var},nolog,pass"

SecRule "REQUEST_HEADERS:x-forwarded-for" "@rx ^\b(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\b" "p
hase:1,auditlog,id:900019,t:none,capture,setvar:tx.real_ip=%{tx.1},nolog,pass"

SecRule "&TX:REAL_IP" "!@eq 0" "phase:1,auditlog,id:900020,t:none,initcol:global=global,initcol:ip=%{
tx.real_ip}_%{tx.ua_hash},nolog,pass"

SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:1,log,auditlog,msg:'GET or HEAD Request with Bod
y Content.',severity:2,id:960011,ver:OWASP_CRS/2.2.7,rev:1,maturity:9,accuracy:9,block,logdata:%{matc
hed_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"

I noticed in the H section the following:
Message: Failed deleting collection (name "ip", key "10.21.26.245_f89688380f162addd43fa6ff3e64dda3e89
224c5"): Internal error

but not clear to me what it means nor whether it could be the reason why waf-fle then sends a 500 as well.

Any help would be much appreciated.
With regards