I made some progress...

If i just run these rules, the request body is only recorded when a POST request results in ERROR 400 (meaning only incorrect login/passwords are logged):
# Do not log any GET or HEAD requets
SecRule REQUEST_METHOD "@pm GET HEAD" "id:'999001',chain,phase:1,t:none,nolog,pass"
        SecRule REQUEST_URI "!@contains ?" "chain"
                SecRule &ARGS "@eq 0" "chain"
                        SecRule &REQUEST_HEADERS:Content-Length|&REQUEST_HEADERS:Content-Type "@eq 0" "ctl:ruleEngine=Off,ctl:auditEngine=Of$

# Ignore apache dummy connections
SecRule REQUEST_LINE "@streq OPTIONS * HTTP/1.0" "id:'999002',phase:1,chain,t:none,nolog,pass"
        SecRule REMOTE_ADDR "^(::1|127\.0\.0\.1)$" "chain"
                SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none"
                        SecRule &REQUEST_HEADERS:Host "@eq 0" "deny,log,status:400,id:08,severity:4,msg:'Missing a Host Header'"
                        SecRule &REQUEST_HEADERS:Accept "@eq 0" "log,deny,log,status:400,id:15,msg:'Request Missing an Accept Header'"


# Force the Requst_Body collection to contain the JSON body based on the content-type header
SecRule REQUEST_HEADERS:Content-Type "jsonrequest" phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On

# Remove audit log part C if password found in response
SecRule REQUEST_BODY ^\{(?:.*)"password":"(.*?)\"\}$ "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-C"


However If i also include these rules, POST request bodies containing passwords are logged because when my page loads it always has an error 400 (due to the js making a request for a session variable that isn't assigned yet.... which makes IP.logflag=1):
IP Address Tracking
SecAction "id:'500001',phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}"

#Start logging everything coming from an IP address after a single
#rule match. To achieve that, we set the flag IP.logflag for up to one hour (3600 seconds):
SecRule HIGHEST_SEVERITY "@gt 0" \
id:'500003',phase:5,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id}

#Detect the flag and force logging:
SecRule IP:logflag "@gt 0" \
"id:'500005',phase:5,log,msg:'Transaction Logged Due to Previous Rule Match.',logdata:'%{ip.logflag_hash}',pass,ctl:auditEngine=On"


Do I need to chain the IP address tracking rules with the ignore password rule or something?  



On Thu, Oct 10, 2013 at 3:32 PM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Thu, Oct 10, 2013 at 8:28 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:

--983ddd49-K--

Hi Steve.

I don't see rules 1001 and 1002 in section K. Can you increase the debug log to 9, rerun the JSON request and verify that those rules are run?

Thanks,

--
 - Josh
 
SecAction "phase:1,auditlog,id:500001,nolog,pass,initcol:ip=%{REMOTE_ADDR}"

SecAction "phase:1,auditlog,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"

SecAction "phase:1,auditlog,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"

SecAction "phase:1,auditlog,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass"

SecAction "phase:1,auditlog,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"

SecAction "phase:1,auditlog,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS DELETE',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass"

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,auditlog,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"

SecRule "&TX:REAL_IP" "@eq 0" "phase:1,auditlog,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"

SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:1,nolog,auditlog,msg:'POST request missing Content-Length Header.',severity:4,id:960012,ver:OWASP_CRS/2.2.8,rev:1,maturity:9,accuracy:9,block,logdata:%{matched_var},t:none,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,chain"
#SecRule "&REQUEST_HEADERS:Content-Length" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,nolog,auditlog,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960010,tag:OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:2,logdata:%{matched_var}"
SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "chain,capture"
#SecRule "TX:0" "!@rx ^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

SecRule "&REQUEST_HEADERS:Pragma" "@eq 1" "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:6,accuracy:8,t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:5,id:960020,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"
#SecRule "&REQUEST_HEADERS:Cache-Control" "@eq 0" "chain"
#SecRule "REQUEST_PROTOCOL" "@streq HTTP/1.1" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request Missing an Accept Header',severity:5,id:960015,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10"
#SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,nolog,auditlog,chain,rev:1,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,block,msg:'Request Has an Empty Accept Header',severity:5,id:960021,tag:OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"
#SecRule "REQUEST_HEADERS:Accept" "@rx ^$" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,nolog,auditlog,chain,t:none,block,msg:'Too many arguments in request',id:960335,severity:4,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
#SecRule "&ARGS" "@gt %{tx.max_num_args}" "t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^(.*)$" "phase:2,nolog,auditlog,chain,t:none,block,msg:'HTTP header is restricted by policy',rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:960038,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:OWASP_CRS/POLICY/FILES_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,severity:4,logdata:%{matched_var},capture,setvar:tx.header_name=/%{tx.0}/"
#SecRule "TX:HEADER_NAME" "@within %{tx.restricted_headers}" "setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

SecRule "REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,auditlog,id:981133,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"

SecRule "&TX:PM_XSS_SCORE" "@eq 0" "phase:2,auditlog,id:981018,t:none,skipAfter:END_XSS_CHECK,nolog"

SecRule "REQUEST_METHOD" "@streq POST" "phase:2,auditlog,chain,id:981022,t:none,pass,nolog"
#SecRule "REQUEST_HEADERS:User-Agent" "@contains Adobe Flash Player" "chain,t:none"
#SecRule "REQUEST_HEADERS:X-Flash-Version" "@rx .*" "chain,t:none"
#SecRule "REQUEST_HEADERS:Content-Type" "@contains application/x-amf" "chain,t:none"
#SecRule "TX:'/PROTOCOL_VIOLATION\\\\/MISSING_HEADER/'" "@rx .*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}"

SecRule "REQUEST_METHOD" "@streq POST" "phase:2,auditlog,chain,t:none,log,block,id:2100000,msg:'SLR: Possible Elevation of Privilege Attack against .Net.',tag:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3416,tag:http://technet.microsoft.com/en-us/security/bulletin/ms11-100"
#SecRule "REQUEST_FILENAME" "@contains /Membership/CreatingUserAccounts.aspx" "chain"
#SecRule "ARGS:/\\$CreateUserStepContainer\\$UserName$/" "@validateByteRange 1-255" "t:urlDecodeUni"

SecRule "RESPONSE_BODY" "!@pm iframe" "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:6,id:981177,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK"

SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" "phase:4,auditlog,rev:2,ver:OWASP_CRS/2.2.8,maturity:9,accuracy:9,id:981178,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK"

SecRule "HIGHEST_SEVERITY" "@gt 0" "phase:5,auditlog,id:500003,nolog,pass,setvar:IP.logflag=1,expirevar:ip.logflag=3600,setvar:ip.logflag_hash=%{unique_id}"

SecRule "IP:logflag" "@gt 0" "phase:5,auditlog,id:500005,log,msg:'Transaction Logged Due to Previous Rule Match.',logdata:%{ip.logflag_hash},pass,ctl:auditEngine=On"


--983ddd49-Z--




On Thu, Oct 10, 2013 at 10:58 AM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Thu, Oct 10, 2013 at 4:38 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:


How can I incorporate the rules you suggested with rules 500001-50005?


Hi Steve,

I just tested (only) the rules above and did not see the password in the audit log. Can you send me section K of an audit log using these rules that contain the password?

Thanks,

--
 - Josh
 


On Wed, Oct 9, 2013 at 3:24 PM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Wed, Oct 9, 2013 at 9:10 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
Thanks!

I came up with this rule:
SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'"


Hi Steve,

A couple thoughts:

1. REQUEST_BODY wont have the JSON request in it unless you enable forceRequestBodyVariable beforehand in phase 1.

2. Your rule can only have two or three arguments. You can group your arguments together using quotes, but if your regex includes quotes you need to escape them.

3. If all you want to do is is check if the JSON body contains the string password then you can simplify your rule as follows:

# Force the Requst_Body collection to contain the JSON body based on the content-type header
SecRule REQUEST_HEADERS:Content-Type "jsonrequest" phase:1,id:1001,nolog,t:none,pass,ctl:forceRequestBodyVariable=On

# Search for the string 'password' in the request body and disable audit log parts C and I
SecRule REQUEST_BODY "password" "phase:2,id:'1002',nolog,pass,ctl:auditLogParts=-CI,msg:'User sent password'"

--
 - Josh
 
But am receiving this error:
Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf:
SecRule takes two or three arguments, rule target, operator and optional action list


On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
Thanks I saw that and it looks great but I can't implement it on a prod environment.

Right now I'm toying with:
SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"

But i'm not sure how to replace the matched value with the character *


Hi Steve,

I think the only current solution is to use the ctl action to remove logging the request body entirely if it holds sensitive data. Kind of an all or nothing approach until the patch makes its way into the stable branch.

--
 - Josh
 

On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
I'll answer my own question.  The body has JSON which is not processed by sanitiseArg.


Hi Steve,

Not sure how stable this is yet, but take a look at: https://www.modsecurity.org/tracker/browse/MODSEC-253
Perhaps with the patch you could use santiseMatched.

--
 - Josh
 

On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
I am unable to sanitize a password in the request body.

--2a688459-C-- {"username":"someuser","password":"somepassword"}

What i've tried:
SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password"
SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password"
SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched

Any suggestions?


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/