We are having an issue ever since Apple release the update for Safari 6 where client's using the browser are filling up our Apache logs with entries like the following in the SSL error log for the webapp:
[20/Jan/2013:23:55:21 -0500] "GET /WebAdvisorST/WebAdvisor?TYPE=M&PID=CORE-WBMAIN&TOKENIDX=4861441791 HTTP/1.1" 200 320 "https://mycollege2.cpcc.edu/WebAdvisorST/WebAdvisor?TYPE=M&PID=CORE-WBMAIN&TOKENIDX=4861441791" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17"
These entries occur multiple times a second for 10 minute spans of time and then repeat. At first we though we had DDoS attack and we began blacklisting IP addresses on the firewall. Then we found that the entries started when Apple release Safari 6. We had two options at the time as we were under time constraints. One was to put a proxy in place and deny all traffic from Safari, and the other was to sanitize the logs in order to free up storage space via cron.
We have now updated our servers, converted from Debian to Ubuntu(12.04.1 LTS), upgraded Apache(2.2.22) and are using modsecurity 2.6.3. Now we are getting entries like the following in the mod_security log causing it to fill up 12GB+ of space:
Message: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/apache2/modsecurity_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]
From what I can tell, the modsecurity log entries correspond to the apache entries caused by the Safari browser. The CSRF rule is an optional rule in modsecurity so I had considered disabling it to resolve the log issues, but I was hoping that I could find a fix for the root cause, Safari.
There has to be other people out there who have experienced similar issues. I'm hoping that there is some patch I'm missing, or some workaround that I need to put in place. Any ideas, or do you need any more detailed info to help troubleshoot?