mod-security-users Mailing List for ModSecurity (Page 3)
Brought to you by:
victorhora,
zimmerletw
You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: homesh j. <ho...@gm...> - 2022-12-14 03:02:38
|
Thank you Christian. On Wed, 14 Dec, 2022, 3:46 am Christian Folini, <chr...@ne...> wrote: > Hi there, > > We looked at it from a CRS perspective. > > Detection is spotty at paranoia level 1, but CRS detects all the payloads > at PL2. There is pull request that aims to detect everything at PL1. > > https://github.com/coreruleset/coreruleset/pull/3055 > > Best, > > Christian > > On Tue, Dec 13, 2022 at 09:30:21PM +0530, homesh joshi wrote: > > Hi All, > > > > Has any one tested the new method mentioned here > > > https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf > > > > > > any successfully block the same with modsec ? > > > > Thanks, > > Homesh > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
From: Christian F. <chr...@ne...> - 2022-12-13 22:11:26
|
Hi there, We looked at it from a CRS perspective. Detection is spotty at paranoia level 1, but CRS detects all the payloads at PL2. There is pull request that aims to detect everything at PL1. https://github.com/coreruleset/coreruleset/pull/3055 Best, Christian On Tue, Dec 13, 2022 at 09:30:21PM +0530, homesh joshi wrote: > Hi All, > > Has any one tested the new method mentioned here > https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf > > > any successfully block the same with modsec ? > > Thanks, > Homesh > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: homesh j. <ho...@gm...> - 2022-12-13 16:10:31
|
Hi All, for simplified version of the method refer https://www.imperva.com/blog/abusing-json-based-sql/ Thanks, Homesh On Tue, Dec 13, 2022 at 9:30 PM homesh joshi <ho...@gm...> wrote: > Hi All, > > Has any one tested the new method mentioned here https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf > > > any successfully block the same with modsec ? > > Thanks, > Homesh > > |
From: homesh j. <ho...@gm...> - 2022-12-13 16:00:43
|
Hi All, Has any one tested the new method mentioned here https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf any successfully block the same with modsec ? Thanks, Homesh |
From: Christian F. <chr...@ne...> - 2022-11-13 10:10:20
|
Yes, we do (-> tx.allowed_http_versions in crs-setup.conf), but 920280 triggers regardless of the HTTP version used. This is apparently not overly exact, but HTTP/1.0 is relatively rare and it's easy to do a rule exclusion. We could extend 920280 with a chained check for the version without too much cost, I guess. Best, Christian On Sun, Nov 13, 2022 at 09:59:09AM +0100, az...@po... wrote: > Is that correct behavior as HTTP/1.0 does not require Host header to be > present? Do we support HTTP/1.0 in CRS? > > > > Citát Ervin Hegedüs <ai...@gm...>: > > > hey, > > > > On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: > > > What’s the current paranoia level set to? Some levels require a Host > > > header to be present. > > > > just for my 2 cents: rule 920280 checks that Host header is > > present or not, 920290 checks that it's not empty. > > > > Furthermore, rule 920350 checks that Host header can't be > > numeric (eg. an IPv4 or IPv6 format address). > > > > All of them activated on *PL1*, so we can say PL settings do not > > play here. > > > > https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 > > > > (See the "Paranoia level" field in the tables) > > > > > > a. > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Ervin H. <ai...@gm...> - 2022-11-13 09:52:33
|
Hi, On Sun, Nov 13, 2022 at 09:59:09AM +0100, az...@po... wrote: > Is that correct behavior as HTTP/1.0 does not require Host header to be > present? No, I think it's not. (I just answered for PL-related part of the mail) > Do we support HTTP/1.0 in CRS? well, I think it's a "hard" question, because we allow it: https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-901-INITIALIZATION.conf#L204 but looks like we do not care the special cases, eg. HTTP/1.0 does not need the Host header. Look at the RFC: https://www.rfc-editor.org/rfc/rfc2616.html#page-128 https://www.rfc-editor.org/rfc/rfc2616.html#section-19.6.1 The RFC says: "The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL. The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL." It does not say that "Host" is NOT mandatory in case of HTTP/1.0, just says "Host" is mandatory in case of HTTP/1.1. The quoted part above from RFC means that if you use a hosted server, clients needs to send "Host" to identify the resource - so, is it mandatory? :) Furthermore: I don't remember when SNI came (for HTTPS - I mean was HTTP/1.0 still used then?), but I think in case of using SNI, "Host" header needs, no matter what HTTP version you use (correct me if I'm wrong). Furthermore+: I found one more reference about HTTP/2. Looks like "Host" header isn't mandatory there too, becase the ":authority" header can replace it: https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.3 May be we can fix this. A bit similar problem the checking of CL header in case of HTTP/2 (where CL isn't mandatory neither): https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L223-L245 First of all, it would be fine to open an issue on GH, and add it to the list of monthly chat topics. a. |
From: <az...@po...> - 2022-11-13 08:59:25
|
Is that correct behavior as HTTP/1.0 does not require Host header to be present? Do we support HTTP/1.0 in CRS? Citát Ervin Hegedüs <ai...@gm...>: > hey, > > On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: >> What’s the current paranoia level set to? Some levels require a >> Host header to be present. > > just for my 2 cents: rule 920280 checks that Host header is > present or not, 920290 checks that it's not empty. > > Furthermore, rule 920350 checks that Host header can't be > numeric (eg. an IPv4 or IPv6 format address). > > All of them activated on *PL1*, so we can say PL settings do not > play here. > > https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 > > (See the "Paranoia level" field in the tables) > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Ervin H. <ai...@gm...> - 2022-11-13 08:44:47
|
hey, On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: > What’s the current paranoia level set to? Some levels require a Host header to be present. just for my 2 cents: rule 920280 checks that Host header is present or not, 920290 checks that it's not empty. Furthermore, rule 920350 checks that Host header can't be numeric (eg. an IPv4 or IPv6 format address). All of them activated on *PL1*, so we can say PL settings do not play here. https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 (See the "Paranoia level" field in the tables) a. |
From: Arlen W. <pu...@ar...> - 2022-11-13 00:49:31
|
What’s the current paranoia level set to? Some levels require a Host header to be present. Sent from my iPad > On Nov 11, 2022, at 6:43 PM, O Lányi via mod-security-users <mod...@li...> wrote: > > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- >> On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: >> >> >> Can you upload your modsecurity.conf and crs-setup.conf somewhere? >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >>> It's already set like that. >>> >>> ------- Original Message ------- >>>> On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: >>> >>>> Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >>>> >>>> Citát O Lányi via mod-security-users >>>> mod...@li...: >>>> >>>>> The response was a 308. 99.999% of 308's are not put in the audit >>>>> log. Why was this specific one put in the audit log? >>>>> >>>>> Sent with Proton Mail secure email. >>>>> >>>>> ------- Original Message ------- >>>>> On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >>>>> >>>>>> This depends on the HTTP status code - logged are all requests with >>>>>> status code that matches regexp set in SecAuditLogRelevantStatus >>>>>> directive in modsecurity.conf (i.e. also requests that were NOT >>>>>> blocked may be logged). For more info, see: >>>> >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >>>> >>>>>> azurit >>>>>> >>>>>> Citát O Lányi via mod-security-users >>>>>> mod...@li...: >>>>>> >>>>>>> I understand the logging parts (I turned on additional parts to try >>>>>>> to understand why harmless requests are being placed in the audit >>>>>>> log), but why was this particular HTTP request put into the audit >>>>>>> log at all? What was "wrong" with it? >>>>>>> >>>>>>> Sent with Proton Mail secure email. >>>>>>> >>>>>>> ------- Original Message ------- >>>>>>> On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> what is logged depends on SecAuditLogParts directive in >>>>>>>> modsecurity.conf. For more info, see: >>>> >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >>>> >>>>>>>> azurit >>>>>>>> >>>>>>>> Citát O Lányi via mod-security-users >>>>>>>> mod...@li...: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I'm trying to learn to appreciate modsecurity but everything about >>>>>>>>> it is frustrating and confusing to me. I thought I'd try reaching >>>>>>>>> out in hopes someone could help -- this is my last hope before I >>>>>>>>> give up and turn it off. >>>>>>>>> >>>>>>>>> I am using DetectionOnly mode >>>>>>>>> >>>>>>>>> What was this put in the audit log? Why are there so many rules >>>>>>>>> listed? Why can't it just tell me simply what rule triggered the >>>>>>>>> inclusion in the log, rather than 75 lines of gibberish? Is this a >>>>>>>>> bug? >>>>>>>>> >>>>>>>>> --7337282c-A-- >>>>>>>>> [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >>>>>>>>> (REMOTE_IP) 56866 (MY_IP) 443 >>>>>>>>> --7337282c-B-- >>>>>>>>> GET / HTTP/1.0 >>>>>>>>> >>>>>>>>> --7337282c-F-- >>>>>>>>> HTTP/1.1 308 Permanent Redirect >>>>>>>>> Expect-CT: max-age=604800, enforce, >>>>>> >>>>>> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >>>>>> >>>>>>>>> Referrer-Policy: unsafe-url >>>>>>>>> Strict-Transport-Security: max-age=31536000; >>>>>>>>> includeSubDomains; preload >>>>>>>>> X-Content-Type-Options: nosniff >>>>>>>>> X-Frame-Options: SAMEORIGIN >>>>>>>>> X-XSS-Protection: 1; mode=block >>>>>>>>> Location: https://othersite/ >>>>>>>>> Content-Length: 428 >>>>>>>>> Connection: close >>>>>>>>> Content-Type: text/html; charset=iso-8859-1 >>>>>>>>> >>>>>>>>> --7337282c-E-- >>>>>>>>> >>>>>>>>> --7337282c-H-- >>>>>>>>> Stopwatch: 1668000670057655 23939 (- - -) >>>>>>>>> Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >>>>>>>>> p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >>>>>>>>> Response-Body-Transformed: Dechunked >>>>>>>>> Producer: ModSecurity for Apache/2.9.5 >>>>>>>>> (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >>>>>>>>> Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >>>>>>>>> Engine-Mode: "DETECTION_ONLY" >>>>>>>>> >>>>>>>>> --7337282c-K-- >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >>>> >>>>>>>>> SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >>>> >>>>>>>>> SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >>>> >>>>>>>>> SecRule "&TX:paranoia_level" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >>>> >>>>>>>>> SecRule "&TX:executing_paranoia_level" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >>>> >>>>>>>>> SecRule "&TX:sampling_percentage" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >>>> >>>>>>>>> SecRule "&TX:critical_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >>>> >>>>>>>>> SecRule "&TX:error_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >>>> >>>>>>>>> SecRule "&TX:warning_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >>>> >>>>>>>>> SecRule "&TX:notice_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >>>> >>>>>>>>> SecRule "&TX:do_reput_block" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >>>> >>>>>>>>> SecRule "&TX:reput_block_duration" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >>>> >>>>>>>>> SecRule "&TX:allowed_methods" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >>>> >>>>>> HEAD >>>>>> >>>>>>>> POST >>>>>>>> >>>>>>>>> OPTIONS'" >>>>>>>>> >>>>>>>>> SecRule "&TX:allowed_request_content_type" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >>>> |multipart/form-data| >>>> >>>>>> |multipart/related| >>>>>> >>>>>>>> |text/xml| >>>>>>>> >>>>>>>>> |application/x >>>>>>>>> ml| |application/soap+xml| |application/x-amf| |application/json| >>>>>>>>> |application/cloudevents+json| >>>>>>>>> |application/cloudevents-batch+json| >>>>>>>>> |application/octet-stream| |application/csp-report| >>>>>>>>> |application/xss-auditor-report| |text/plain|'" >>>>>>>>> >>>>>>>>> SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >>>> >>>>>>>>> SecRule "&TX:allowed_http_versions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >>>> >>>>>> HTTP/1.1 >>>>>> >>>>>>>> HTTP/2 >>>>>>>> >>>>>>>>> HTTP/2.0'" >>>>>>>>> >>>>>>>>> SecRule "&TX:restricted_extensions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >>>> .cs/ >>>> >>>>>> .csproj/ >>>>>> >>>>>>>> .csr/ >>>>>>>> >>>>>>>>> .dat >>>>>>>>> / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >>>>>>>>> .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >>>>>>>>> .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >>>>>>>>> .vbs/ .vbproj/ >>>>>>>>> .vsdisco/ .webinfo/ .xsd/ .xsx/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:restricted_headers" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >>>> >>>>>> /lock-token/ >>>>>> >>>>>>>> /content-range/ >>>>>>>> >>>>>>>>> /if/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:static_extensions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ >>>> /.css/ >>>> >>>>>> /.ico/ >>>>>> >>>>>>>> /.svg/ >>>>>>>> >>>>>>>>> /.webp/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >>>> >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >>>> >>>> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >>>> >>>> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >>>> >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >>>> >>>>>>>>> SecRule "REQBODY_PROCESSOR" "!@rx >>>>>>>>> (?:URLENCODED|MULTIPART|XML|JSON)" >>>>>>>>> "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >>>> >>>> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >>>> >>>>>>>>> SecRule "TX:sampling_percentage" "@eq 100" >>>> >>>> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >>>> >>>> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >>>> >>>> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >>>>>>>>> 0" >>>> >>>> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >>>> >>>>>>>>> SecRule "&TX:dos_burst_time_slice" "@eq 0" >>>> >>>> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >>>> >>>>>>>>> SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >>>>>>>>> SecRule "&TX:dos_block_timeout" "@eq 0" >>>>>>>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >>>> >>>>>>>>> SecRule "RESPONSE_STATUS" "!@rx ^404$" >>>>>>>>> "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >>>>>>>>> Information Leakage',logdata:'Matched Data: %{TX.0} found within >>>>>>>>> %{MATCHED_VAR_NAME}: >>>>>>>>> %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >>>> >>>> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >>>> >>>>>>>>> #SecRule "RESPONSE_BODY" "@rx \\bServer Error >>>>>>>>> in.{0,50}?\\bApplication\\b" >>>> >>>> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >>>> >>>>>>>>> SecRule "TX:PARANOIA_LEVEL" "@ge 1" >>>> >>>> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "&TX:dos_burst_time_slice" "@eq 0" >>>> >>>> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >>>> >>>>>>>>> SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >>>>>>>>> SecRule "&TX:dos_block_timeout" "@eq 0" >>>>>>>>> >>>>>>>>> SecAction >>>> >>>> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >>>> >>>>>>>>> ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >>>>>>>>> >>>>>>>>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >>>>>>>>> %{tx.inbound_anomaly_score_threshold}" >>>>>>>>> "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >>>>>>>>> Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >>>>>>>>> SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >>>> >>>> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level >>>> scores: >>>> >>>>>> %{TX.ANOMALY_SCORE_PL1}, >>>>>> >>>>>>>> %{TX.ANOMALY_SCORE_PL2}, >>>>>>>> >>>>>>>>> %{TX.ANO >>>>>>>>> MALY_SCORE_PL3}, >>>> >>>> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >>>> >>>>>>>>> #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >>>>>>>>> >>>>>>>>> SecAction >>>> >>>> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >>>> >>>> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >>>> >>>>>>>>> SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >>>>>>>>> %{tx.outbound_anomaly_score_threshold}" >>>> >>>> "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >>>> >>>>>>>>> Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >>>>>>>>> individual paranoia level scores: %{TX.OUTBO >>>>>>>>> UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >>>>>>>>> %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >>>> >>>> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >>>> >>>>>>>>> #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >>>>>>>>> >>>>>>>>> --7337282c-Z-- >>>>>>>>> >>>>>>>>> Thanks for any help anyone can offer. >>>>>>>>> >>>>>>>>> Sent with Proton Mail secure email. >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> mod...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Christian F. <chr...@ne...> - 2022-11-12 08:24:04
|
Hi there, Would you mind sharing the logfile for those alerts? Ideally with the individual requests triggering them. Best, Christian On Sat, Nov 12, 2022 at 12:41:45AM +0000, O Lányi via mod-security-users wrote: > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > > > > Can you upload your modsecurity.conf and crs-setup.conf somewhere? > > > > > > > > > > Citát O Lányi via mod-security-users > > mod...@li...: > > > > > It's already set like that. > > > > > > ------- Original Message ------- > > > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: > > > > > > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > > > > Citát O Lányi via mod-security-users > > > > mod...@li...: > > > > > > > > > The response was a 308. 99.999% of 308's are not put in the audit > > > > > log. Why was this specific one put in the audit log? > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > ------- Original Message ------- > > > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > > > > > > > This depends on the HTTP status code - logged are all requests with > > > > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > > > > blocked may be logged). For more info, see: > > > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > > > > > azurit > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > mod...@li...: > > > > > > > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > > > > to understand why harmless requests are being placed in the audit > > > > > > > log), but why was this particular HTTP request put into the audit > > > > > > > log at all? What was "wrong" with it? > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > ------- Original Message ------- > > > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > > > > modsecurity.conf. For more info, see: > > > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > > > > > azurit > > > > > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > > > mod...@li...: > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > > > > give up and turn it off. > > > > > > > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > > > > bug? > > > > > > > > > > > > > > > > > > --7337282c-A-- > > > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > > > > --7337282c-B-- > > > > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > > > > > > > --7337282c-F-- > > > > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > > > > includeSubDomains; preload > > > > > > > > > X-Content-Type-Options: nosniff > > > > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > > > > X-XSS-Protection: 1; mode=block > > > > > > > > > Location: https://othersite/ > > > > > > > > > Content-Length: 428 > > > > > > > > > Connection: close > > > > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > > > > > > > --7337282c-H-- > > > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > > > > Response-Body-Transformed: Dechunked > > > > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > > > > > > > --7337282c-K-- > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > > > > > > > > HEAD > > > > > > > > > > > > > > POST > > > > > > > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| > > > > |multipart/form-data| > > > > > > > > > > |multipart/related| > > > > > > > > > > > > > > |text/xml| > > > > > > > > > > > > > > > > > |application/x > > > > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > > > > |application/cloudevents+json| > > > > > > > > > |application/cloudevents-batch+json| > > > > > > > > > |application/octet-stream| |application/csp-report| > > > > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > > > > > > > > HTTP/1.1 > > > > > > > > > > > > > > HTTP/2 > > > > > > > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > > > > .cs/ > > > > > > > > > > .csproj/ > > > > > > > > > > > > > > .csr/ > > > > > > > > > > > > > > > > > .dat > > > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ > > > > > > > > > .vbs/ .vbproj/ > > > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > > > > > > > > /lock-token/ > > > > > > > > > > > > > > /content-range/ > > > > > > > > > > > > > > > > > /if/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ > > > > /.css/ > > > > > > > > > > /.ico/ > > > > > > > > > > > > > > /.svg/ > > > > > > > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx > > > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > > > > 0" > > > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > > > > %{MATCHED_VAR_NAME}: > > > > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > > > SecAction > > > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level > > > > scores: > > > > > > > > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > > > > > > > %{TX.ANO > > > > > > > > > MALY_SCORE_PL3}, > > > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > > > SecAction > > > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <az...@po...> - 2022-11-12 06:46:00
|
You said you are only learning ModSecurity so you should NOT modify advanced settings like SecAuditLogRelevantStatus and SecAuditLogParts. I suggest you to use default values at least for these two because what you are experiencing is probably some kind of misconfiguration. SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIJDEFHZ Also, disable SecStatusEngine as it already doesn't work (as ModSecurity authors disabled server side part of this service). Citát O Lányi via mod-security-users <mod...@li...>: > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have > a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > > >> Can you upload your modsecurity.conf and crs-setup.conf somewhere? >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > It's already set like that. >> > >> > ------- Original Message ------- >> > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: >> > >> > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > The response was a 308. 99.999% of 308's are not put in the audit >> > > > log. Why was this specific one put in the audit log? >> > > > >> > > > Sent with Proton Mail secure email. >> > > > >> > > > ------- Original Message ------- >> > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >> > > > >> > > > > This depends on the HTTP status code - logged are all requests with >> > > > > status code that matches regexp set in SecAuditLogRelevantStatus >> > > > > directive in modsecurity.conf (i.e. also requests that were NOT >> > > > > blocked may be logged). For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> > > >> > > > > azurit >> > > > > >> > > > > Citát O Lányi via mod-security-users >> > > > > mod...@li...: >> > > > > >> > > > > > I understand the logging parts (I turned on additional >> parts to try >> > > > > > to understand why harmless requests are being placed in the audit >> > > > > > log), but why was this particular HTTP request put into the audit >> > > > > > log at all? What was "wrong" with it? >> > > > > > >> > > > > > Sent with Proton Mail secure email. >> > > > > > >> > > > > > ------- Original Message ------- >> > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, >> az...@po... wrote: >> > > > > > >> > > > > > > Hi, >> > > > > > > >> > > > > > > what is logged depends on SecAuditLogParts directive in >> > > > > > > modsecurity.conf. For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > > > > > azurit >> > > > > > > >> > > > > > > Citát O Lányi via mod-security-users >> > > > > > > mod...@li...: >> > > > > > > >> > > > > > > > Hello, >> > > > > > > > >> > > > > > > > I'm trying to learn to appreciate modsecurity but >> everything about >> > > > > > > > it is frustrating and confusing to me. I thought I'd >> try reaching >> > > > > > > > out in hopes someone could help -- this is my last >> hope before I >> > > > > > > > give up and turn it off. >> > > > > > > > >> > > > > > > > I am using DetectionOnly mode >> > > > > > > > >> > > > > > > > What was this put in the audit log? Why are there so >> many rules >> > > > > > > > listed? Why can't it just tell me simply what rule >> triggered the >> > > > > > > > inclusion in the log, rather than 75 lines of >> gibberish? Is this a >> > > > > > > > bug? >> > > > > > > > >> > > > > > > > --7337282c-A-- >> > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] >> Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > > > > > --7337282c-B-- >> > > > > > > > GET / HTTP/1.0 >> > > > > > > > >> > > > > > > > --7337282c-F-- >> > > > > > > > HTTP/1.1 308 Permanent Redirect >> > > > > > > > Expect-CT: max-age=604800, enforce, >> > > > > >> > > > > >> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > > > >> > > > > > > > Referrer-Policy: unsafe-url >> > > > > > > > Strict-Transport-Security: max-age=31536000; >> > > > > > > > includeSubDomains; preload >> > > > > > > > X-Content-Type-Options: nosniff >> > > > > > > > X-Frame-Options: SAMEORIGIN >> > > > > > > > X-XSS-Protection: 1; mode=block >> > > > > > > > Location: https://othersite/ >> > > > > > > > Content-Length: 428 >> > > > > > > > Connection: close >> > > > > > > > Content-Type: text/html; charset=iso-8859-1 >> > > > > > > > >> > > > > > > > --7337282c-E-- >> > > > > > > > >> > > > > > > > --7337282c-H-- >> > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, >> p1=578, p2=0, >> > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > > > > > Response-Body-Transformed: Dechunked >> > > > > > > > Producer: ModSecurity for Apache/2.9.5 >> > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > > > > > Engine-Mode: "DETECTION_ONLY" >> > > > > > > > >> > > > > > > > --7337282c-K-- >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> > > >> > > > > HEAD >> > > > > >> > > > > > > POST >> > > > > > > >> > > > > > > > OPTIONS'" >> > > > > > > > >> > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >> > > |multipart/form-data| >> > > >> > > > > |multipart/related| >> > > > > >> > > > > > > |text/xml| >> > > > > > > >> > > > > > > > |application/x >> > > > > > > > ml| |application/soap+xml| |application/x-amf| >> |application/json| >> > > > > > > > |application/cloudevents+json| >> > > > > > > > |application/cloudevents-batch+json| >> > > > > > > > |application/octet-stream| |application/csp-report| >> > > > > > > > |application/xss-auditor-report| |text/plain|'" >> > > > > > > > >> > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> > > >> > > > > HTTP/1.1 >> > > > > >> > > > > > > HTTP/2 >> > > > > > > >> > > > > > > > HTTP/2.0'" >> > > > > > > > >> > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ >> .conf/ >> > > .cs/ >> > > >> > > > > .csproj/ >> > > > > >> > > > > > > .csr/ >> > > > > > > >> > > > > > > > .dat >> > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ >> .idq/ .inc/ .ini/ >> > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ >> .pol/ .printer/ >> > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >> > > > > > > > .vbs/ .vbproj/ >> > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> > > >> > > > > /lock-token/ >> > > > > >> > > > > > > /content-range/ >> > > > > > > >> > > > > > > > /if/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ >> /.js/ >> > > /.css/ >> > > >> > > > > /.ico/ >> > > > > >> > > > > > > /.svg/ >> > > > > > > >> > > > > > > > /.webp/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx >> > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > > > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > > > > > >> "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} >> found within >> > > > > > > > %{MATCHED_VAR_NAME}: >> > > > > > > > >> %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > > > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > > > >> > > > > > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > > > > > >> > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > > > > > %{tx.inbound_anomaly_score_threshold}" >> > > > > > > > >> "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia >> level >> > > scores: >> > > >> > > > > %{TX.ANOMALY_SCORE_PL1}, >> > > > > >> > > > > > > %{TX.ANOMALY_SCORE_PL2}, >> > > > > > > >> > > > > > > > %{TX.ANO >> > > > > > > > MALY_SCORE_PL3}, >> > > >> > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > > > >> > > > > > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > > > > > %{tx.outbound_anomaly_score_threshold}" >> > > >> > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > >> > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > > > > > individual paranoia level scores: %{TX.OUTBO >> > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > > > >> > > > > > > > --7337282c-Z-- >> > > > > > > > >> > > > > > > > Thanks for any help anyone can offer. >> > > > > > > > >> > > > > > > > Sent with Proton Mail secure email. >> > > > > > > >> > > > > > > _______________________________________________ >> > > > > > > mod-security-users mailing list >> > > > > > > mod...@li... >> > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> > > > > > > SpiderLabs: >> > > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > > >> > > > > > _______________________________________________ >> > > > > > mod-security-users mailing list >> > > > > > mod...@li... >> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > >> > > > > _______________________________________________ >> > > > > mod-security-users mailing list >> > > > > mod...@li... >> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > >> > > > _______________________________________________ >> > > > mod-security-users mailing list >> > > > mod...@li... >> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: O L. <ne...@pr...> - 2022-11-12 00:42:12
|
modsecurity.conf: https://pastebin.com/ZggGuyKG crs-setup.conf: https://pastebin.com/s11sF0pj It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason testing with curl: HTTP/1.0 HTTPS with no host header = LOGGED HTTP/1.0 HTTPS with host header = not logged HTTP/1.0 HTTP with no host header = not logged HTTP/1.0 HTTP with host header = not logged HTTP/1.1 HTTPS with no host header = not logged HTTP/1.1 HTTPS with host header = not logged HTTP/1.1 HTTP with no host header = not logged HTTP/1.1 HTTP with host header = not logged but why? Sent with Proton Mail secure email. ------- Original Message ------- On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > Can you upload your modsecurity.conf and crs-setup.conf somewhere? > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > It's already set like that. > > > > ------- Original Message ------- > > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: > > > > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > The response was a 308. 99.999% of 308's are not put in the audit > > > > log. Why was this specific one put in the audit log? > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > ------- Original Message ------- > > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > > > > > This depends on the HTTP status code - logged are all requests with > > > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > > > blocked may be logged). For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > > > azurit > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > mod...@li...: > > > > > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > > > to understand why harmless requests are being placed in the audit > > > > > > log), but why was this particular HTTP request put into the audit > > > > > > log at all? What was "wrong" with it? > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > ------- Original Message ------- > > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > > > modsecurity.conf. For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > > > azurit > > > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > > mod...@li...: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > > > give up and turn it off. > > > > > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > > > bug? > > > > > > > > > > > > > > > > --7337282c-A-- > > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > > > --7337282c-B-- > > > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > > > > > --7337282c-F-- > > > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > > > includeSubDomains; preload > > > > > > > > X-Content-Type-Options: nosniff > > > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > > > X-XSS-Protection: 1; mode=block > > > > > > > > Location: https://othersite/ > > > > > > > > Content-Length: 428 > > > > > > > > Connection: close > > > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > > > > > --7337282c-H-- > > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > > > Response-Body-Transformed: Dechunked > > > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > > > > > --7337282c-K-- > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > > > > > > HEAD > > > > > > > > > > > > POST > > > > > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| > > > |multipart/form-data| > > > > > > > > |multipart/related| > > > > > > > > > > > > |text/xml| > > > > > > > > > > > > > > > |application/x > > > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > > > |application/cloudevents+json| > > > > > > > > |application/cloudevents-batch+json| > > > > > > > > |application/octet-stream| |application/csp-report| > > > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > > > > > > HTTP/1.1 > > > > > > > > > > > > HTTP/2 > > > > > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > > > .cs/ > > > > > > > > .csproj/ > > > > > > > > > > > > .csr/ > > > > > > > > > > > > > > > .dat > > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ > > > > > > > > .vbs/ .vbproj/ > > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > > > > > > /lock-token/ > > > > > > > > > > > > /content-range/ > > > > > > > > > > > > > > > /if/'" > > > > > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ > > > /.css/ > > > > > > > > /.ico/ > > > > > > > > > > > > /.svg/ > > > > > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx > > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > > > %{MATCHED_VAR_NAME}: > > > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level > > > scores: > > > > > > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > > > > > %{TX.ANO > > > > > > > > MALY_SCORE_PL3}, > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <az...@po...> - 2022-11-11 09:51:31
|
Can you upload your modsecurity.conf and crs-setup.conf somewhere? Citát O Lányi via mod-security-users <mod...@li...>: > It's already set like that. > > > > > ------- Original Message ------- > On Thursday, November 10th, 2022 at 4:39 AM, <az...@po...> wrote: > > >> Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > The response was a 308. 99.999% of 308's are not put in the audit >> > log. Why was this specific one put in the audit log? >> > >> > Sent with Proton Mail secure email. >> > >> > ------- Original Message ------- >> > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >> > >> > > This depends on the HTTP status code - logged are all requests with >> > > status code that matches regexp set in SecAuditLogRelevantStatus >> > > directive in modsecurity.conf (i.e. also requests that were NOT >> > > blocked may be logged). For more info, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> > > >> > > azurit >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > I understand the logging parts (I turned on additional parts to try >> > > > to understand why harmless requests are being placed in the audit >> > > > log), but why was this particular HTTP request put into the audit >> > > > log at all? What was "wrong" with it? >> > > > >> > > > Sent with Proton Mail secure email. >> > > > >> > > > ------- Original Message ------- >> > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >> > > > >> > > > > Hi, >> > > > > >> > > > > what is logged depends on SecAuditLogParts directive in >> > > > > modsecurity.conf. For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > > > azurit >> > > > > >> > > > > Citát O Lányi via mod-security-users >> > > > > mod...@li...: >> > > > > >> > > > > > Hello, >> > > > > > >> > > > > > I'm trying to learn to appreciate modsecurity but everything about >> > > > > > it is frustrating and confusing to me. I thought I'd try reaching >> > > > > > out in hopes someone could help -- this is my last hope before I >> > > > > > give up and turn it off. >> > > > > > >> > > > > > I am using DetectionOnly mode >> > > > > > >> > > > > > What was this put in the audit log? Why are there so many rules >> > > > > > listed? Why can't it just tell me simply what rule triggered the >> > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > > > > > bug? >> > > > > > >> > > > > > --7337282c-A-- >> > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > > > --7337282c-B-- >> > > > > > GET / HTTP/1.0 >> > > > > > >> > > > > > --7337282c-F-- >> > > > > > HTTP/1.1 308 Permanent Redirect >> > > > > > Expect-CT: max-age=604800, enforce, >> > > >> > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > >> > > > > > Referrer-Policy: unsafe-url >> > > > > > Strict-Transport-Security: max-age=31536000; >> > > > > > includeSubDomains; preload >> > > > > > X-Content-Type-Options: nosniff >> > > > > > X-Frame-Options: SAMEORIGIN >> > > > > > X-XSS-Protection: 1; mode=block >> > > > > > Location: https://othersite/ >> > > > > > Content-Length: 428 >> > > > > > Connection: close >> > > > > > Content-Type: text/html; charset=iso-8859-1 >> > > > > > >> > > > > > --7337282c-E-- >> > > > > > >> > > > > > --7337282c-H-- >> > > > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > > > Response-Body-Transformed: Dechunked >> > > > > > Producer: ModSecurity for Apache/2.9.5 >> > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > > > Engine-Mode: "DETECTION_ONLY" >> > > > > > >> > > > > > --7337282c-K-- >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> > > HEAD >> > > >> > > > > POST >> > > > > >> > > > > > OPTIONS'" >> > > > > > >> > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >> |multipart/form-data| >> > > |multipart/related| >> > > >> > > > > |text/xml| >> > > > > >> > > > > > |application/x >> > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| >> > > > > > |application/cloudevents+json| >> |application/cloudevents-batch+json| >> > > > > > |application/octet-stream| |application/csp-report| >> > > > > > |application/xss-auditor-report| |text/plain|'" >> > > > > > >> > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> > > HTTP/1.1 >> > > >> > > > > HTTP/2 >> > > > > >> > > > > > HTTP/2.0'" >> > > > > > >> > > > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >> .cs/ >> > > .csproj/ >> > > >> > > > > .csr/ >> > > > > >> > > > > > .dat >> > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >> .vbs/ .vbproj/ >> > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > > > >> > > > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> > > /lock-token/ >> > > >> > > > > /content-range/ >> > > > > >> > > > > > /if/'" >> > > > > > >> > > > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ >> /.css/ >> > > /.ico/ >> > > >> > > > > /.svg/ >> > > > > >> > > > > > /.webp/'" >> > > > > > >> > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > > > SecRule "REQBODY_PROCESSOR" "!@rx >> (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > > > > > %{MATCHED_VAR_NAME}: >> > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > >> > > > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > > > >> > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > > > %{tx.inbound_anomaly_score_threshold}" >> > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level >> scores: >> > > %{TX.ANOMALY_SCORE_PL1}, >> > > >> > > > > %{TX.ANOMALY_SCORE_PL2}, >> > > > > >> > > > > > %{TX.ANO >> > > > > > MALY_SCORE_PL3}, >> > > >> > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > >> > > > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > > > %{tx.outbound_anomaly_score_threshold}" >> > > > > > >> "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > > > individual paranoia level scores: %{TX.OUTBO >> > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > >> > > > > > --7337282c-Z-- >> > > > > > >> > > > > > Thanks for any help anyone can offer. >> > > > > > >> > > > > > Sent with Proton Mail secure email. >> > > > > >> > > > > _______________________________________________ >> > > > > mod-security-users mailing list >> > > > > mod...@li... >> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > >> > > > _______________________________________________ >> > > > mod-security-users mailing list >> > > > mod...@li... >> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: O L. <ne...@pr...> - 2022-11-10 14:45:15
|
It's already set like that. ------- Original Message ------- On Thursday, November 10th, 2022 at 4:39 AM, <az...@po...> wrote: > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > The response was a 308. 99.999% of 308's are not put in the audit > > log. Why was this specific one put in the audit log? > > > > Sent with Proton Mail secure email. > > > > ------- Original Message ------- > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > This depends on the HTTP status code - logged are all requests with > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > blocked may be logged). For more info, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > azurit > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > to understand why harmless requests are being placed in the audit > > > > log), but why was this particular HTTP request put into the audit > > > > log at all? What was "wrong" with it? > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > ------- Original Message ------- > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > Hi, > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > modsecurity.conf. For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > azurit > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > mod...@li...: > > > > > > > > > > > Hello, > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > give up and turn it off. > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > bug? > > > > > > > > > > > > --7337282c-A-- > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > --7337282c-B-- > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > --7337282c-F-- > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > includeSubDomains; preload > > > > > > X-Content-Type-Options: nosniff > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > X-XSS-Protection: 1; mode=block > > > > > > Location: https://othersite/ > > > > > > Content-Length: 428 > > > > > > Connection: close > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > --7337282c-H-- > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > Response-Body-Transformed: Dechunked > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > --7337282c-K-- > > > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > HEAD > > > > > > > > POST > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| > > > |multipart/related| > > > > > > > > |text/xml| > > > > > > > > > > > |application/x > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > |application/cloudevents+json| |application/cloudevents-batch+json| > > > > > > |application/octet-stream| |application/csp-report| > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > HTTP/1.1 > > > > > > > > HTTP/2 > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ > > > .csproj/ > > > > > > > > .csr/ > > > > > > > > > > > .dat > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > /lock-token/ > > > > > > > > /content-range/ > > > > > > > > > > > /if/'" > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ > > > /.ico/ > > > > > > > > /.svg/ > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > %{MATCHED_VAR_NAME}: > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > %{TX.ANO > > > > > > MALY_SCORE_PL3}, > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <az...@po...> - 2022-11-10 10:40:08
|
Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine Citát O Lányi via mod-security-users <mod...@li...>: > The response was a 308. 99.999% of 308's are not put in the audit > log. Why was this specific one put in the audit log? > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Wednesday, November 9th, 2022 at 10:58 AM, <az...@po...> wrote: > > >> This depends on the HTTP status code - logged are all requests with >> status code that matches regexp set in SecAuditLogRelevantStatus >> directive in modsecurity.conf (i.e. also requests that were NOT >> blocked may be logged). For more info, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> >> azurit >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > I understand the logging parts (I turned on additional parts to try >> > to understand why harmless requests are being placed in the audit >> > log), but why was this particular HTTP request put into the audit >> > log at all? What was "wrong" with it? >> > >> > Sent with Proton Mail secure email. >> > >> > ------- Original Message ------- >> > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >> > >> > > Hi, >> > > >> > > what is logged depends on SecAuditLogParts directive in >> > > modsecurity.conf. For more info, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > azurit >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > Hello, >> > > > >> > > > I'm trying to learn to appreciate modsecurity but everything about >> > > > it is frustrating and confusing to me. I thought I'd try reaching >> > > > out in hopes someone could help -- this is my last hope before I >> > > > give up and turn it off. >> > > > >> > > > I am using DetectionOnly mode >> > > > >> > > > What was this put in the audit log? Why are there so many rules >> > > > listed? Why can't it just tell me simply what rule triggered the >> > > > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > > > bug? >> > > > >> > > > --7337282c-A-- >> > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > --7337282c-B-- >> > > > GET / HTTP/1.0 >> > > > >> > > > --7337282c-F-- >> > > > HTTP/1.1 308 Permanent Redirect >> > > > Expect-CT: max-age=604800, enforce, >> > > > >> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > > Referrer-Policy: unsafe-url >> > > > Strict-Transport-Security: max-age=31536000; >> includeSubDomains; preload >> > > > X-Content-Type-Options: nosniff >> > > > X-Frame-Options: SAMEORIGIN >> > > > X-XSS-Protection: 1; mode=block >> > > > Location: https://othersite/ >> > > > Content-Length: 428 >> > > > Connection: close >> > > > Content-Type: text/html; charset=iso-8859-1 >> > > > >> > > > --7337282c-E-- >> > > > >> > > > --7337282c-H-- >> > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > Response-Body-Transformed: Dechunked >> > > > Producer: ModSecurity for Apache/2.9.5 >> > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > Engine-Mode: "DETECTION_ONLY" >> > > > >> > > > --7337282c-K-- >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> HEAD >> > > POST >> > > >> > > > OPTIONS'" >> > > > >> > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| >> |multipart/related| >> > > |text/xml| >> > > >> > > > |application/x >> > > > ml| |application/soap+xml| |application/x-amf| |application/json| >> > > > |application/cloudevents+json| |application/cloudevents-batch+json| >> > > > |application/octet-stream| |application/csp-report| >> > > > |application/xss-auditor-report| |text/plain|'" >> > > > >> > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> HTTP/1.1 >> > > HTTP/2 >> > > >> > > > HTTP/2.0'" >> > > > >> > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ >> .csproj/ >> > > .csr/ >> > > >> > > > .dat >> > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ >> > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > >> > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> /lock-token/ >> > > /content-range/ >> > > >> > > > /if/'" >> > > > >> > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ >> /.ico/ >> > > /.svg/ >> > > >> > > > /.webp/'" >> > > > >> > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > > > %{MATCHED_VAR_NAME}: >> > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > >> > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > >> > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > %{tx.inbound_anomaly_score_threshold}" >> > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: >> %{TX.ANOMALY_SCORE_PL1}, >> > > %{TX.ANOMALY_SCORE_PL2}, >> > > >> > > > %{TX.ANO >> > > > MALY_SCORE_PL3}, >> > > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > >> > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > %{tx.outbound_anomaly_score_threshold}" >> > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > individual paranoia level scores: %{TX.OUTBO >> > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > >> > > > --7337282c-Z-- >> > > > >> > > > Thanks for any help anyone can offer. >> > > > >> > > > Sent with Proton Mail secure email. >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: O L. <ne...@pr...> - 2022-11-09 17:12:12
|
The response was a 308. 99.999% of 308's are not put in the audit log. Why was this specific one put in the audit log? Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, November 9th, 2022 at 10:58 AM, <az...@po...> wrote: > This depends on the HTTP status code - logged are all requests with > status code that matches regexp set in SecAuditLogRelevantStatus > directive in modsecurity.conf (i.e. also requests that were NOT > blocked may be logged). For more info, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > azurit > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > I understand the logging parts (I turned on additional parts to try > > to understand why harmless requests are being placed in the audit > > log), but why was this particular HTTP request put into the audit > > log at all? What was "wrong" with it? > > > > Sent with Proton Mail secure email. > > > > ------- Original Message ------- > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > Hi, > > > > > > what is logged depends on SecAuditLogParts directive in > > > modsecurity.conf. For more info, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > azurit > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > Hello, > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > out in hopes someone could help -- this is my last hope before I > > > > give up and turn it off. > > > > > > > > I am using DetectionOnly mode > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > listed? Why can't it just tell me simply what rule triggered the > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > bug? > > > > > > > > --7337282c-A-- > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > --7337282c-B-- > > > > GET / HTTP/1.0 > > > > > > > > --7337282c-F-- > > > > HTTP/1.1 308 Permanent Redirect > > > > Expect-CT: max-age=604800, enforce, > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > Referrer-Policy: unsafe-url > > > > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > > > > X-Content-Type-Options: nosniff > > > > X-Frame-Options: SAMEORIGIN > > > > X-XSS-Protection: 1; mode=block > > > > Location: https://othersite/ > > > > Content-Length: 428 > > > > Connection: close > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > --7337282c-E-- > > > > > > > > --7337282c-H-- > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > Response-Body-Transformed: Dechunked > > > > Producer: ModSecurity for Apache/2.9.5 > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > --7337282c-K-- > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD > > > POST > > > > > > > OPTIONS'" > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| > > > |text/xml| > > > > > > > |application/x > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > |application/cloudevents+json| |application/cloudevents-batch+json| > > > > |application/octet-stream| |application/csp-report| > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 > > > HTTP/2 > > > > > > > HTTP/2.0'" > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ > > > .csr/ > > > > > > > .dat > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ > > > /content-range/ > > > > > > > /if/'" > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ > > > /.svg/ > > > > > > > /.webp/'" > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > %{MATCHED_VAR_NAME}: > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > %{tx.inbound_anomaly_score_threshold}" > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > %{TX.ANO > > > > MALY_SCORE_PL3}, > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > %{tx.outbound_anomaly_score_threshold}" > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > individual paranoia level scores: %{TX.OUTBO > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > --7337282c-Z-- > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > Sent with Proton Mail secure email. > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <az...@po...> - 2022-11-09 16:59:11
|
This depends on the HTTP status code - logged are all requests with status code that matches regexp set in SecAuditLogRelevantStatus directive in modsecurity.conf (i.e. also requests that were NOT blocked may be logged). For more info, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus azurit Citát O Lányi via mod-security-users <mod...@li...>: > I understand the logging parts (I turned on additional parts to try > to understand why harmless requests are being placed in the audit > log), but why was this particular HTTP request put into the audit > log at all? What was "wrong" with it? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Wednesday, November 9th, 2022 at 10:30 AM, <az...@po...> wrote: > > >> Hi, >> >> what is logged depends on SecAuditLogParts directive in >> modsecurity.conf. For more info, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> >> azurit >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > Hello, >> > >> > I'm trying to learn to appreciate modsecurity but everything about >> > it is frustrating and confusing to me. I thought I'd try reaching >> > out in hopes someone could help -- this is my last hope before I >> > give up and turn it off. >> > >> > I am using DetectionOnly mode >> > >> > What was this put in the audit log? Why are there so many rules >> > listed? Why can't it just tell me simply what rule triggered the >> > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > bug? >> > >> > --7337282c-A-- >> > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > (REMOTE_IP) 56866 (MY_IP) 443 >> > --7337282c-B-- >> > GET / HTTP/1.0 >> > >> > --7337282c-F-- >> > HTTP/1.1 308 Permanent Redirect >> > Expect-CT: max-age=604800, enforce, >> > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > Referrer-Policy: unsafe-url >> > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload >> > X-Content-Type-Options: nosniff >> > X-Frame-Options: SAMEORIGIN >> > X-XSS-Protection: 1; mode=block >> > Location: https://othersite/ >> > Content-Length: 428 >> > Connection: close >> > Content-Type: text/html; charset=iso-8859-1 >> > >> > --7337282c-E-- >> > >> > --7337282c-H-- >> > Stopwatch: 1668000670057655 23939 (- - -) >> > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > Response-Body-Transformed: Dechunked >> > Producer: ModSecurity for Apache/2.9.5 >> > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > Engine-Mode: "DETECTION_ONLY" >> > >> > --7337282c-K-- >> > SecAction >> > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > >> > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > >> > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > >> > SecRule "&TX:paranoia_level" "@eq 0" >> > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > >> > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > >> > SecRule "&TX:sampling_percentage" "@eq 0" >> > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > >> > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > >> > SecRule "&TX:error_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > >> > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > >> > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > >> > SecRule "&TX:do_reput_block" "@eq 0" >> > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > >> > SecRule "&TX:reput_block_duration" "@eq 0" >> > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > >> > SecRule "&TX:allowed_methods" "@eq 0" >> > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD >> POST >> > OPTIONS'" >> > >> > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| >> |text/xml| >> > |application/x >> > ml| |application/soap+xml| |application/x-amf| |application/json| >> > |application/cloudevents+json| |application/cloudevents-batch+json| >> > |application/octet-stream| |application/csp-report| >> > |application/xss-auditor-report| |text/plain|'" >> > >> > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > >> > SecRule "&TX:allowed_http_versions" "@eq 0" >> > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 >> HTTP/2 >> > HTTP/2.0'" >> > >> > SecRule "&TX:restricted_extensions" "@eq 0" >> > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ >> .csr/ >> > .dat >> > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ >> > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > >> > SecRule "&TX:restricted_headers" "@eq 0" >> > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ >> /content-range/ >> > /if/'" >> > >> > SecRule "&TX:static_extensions" "@eq 0" >> > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ >> /.svg/ >> > /.webp/'" >> > >> > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > >> > SecAction >> > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > >> > SecAction >> > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > >> > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" >> > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > >> > SecRule "TX:sampling_percentage" "@eq 100" >> > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > >> > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > >> > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > >> > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > >> > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > >> > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > >> > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > 0" >> > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > >> > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > SecRule "&TX:dos_block_timeout" "@eq 0" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > >> > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > %{MATCHED_VAR_NAME}: >> > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > in.{0,50}?\\bApplication\\b" >> > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > >> > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > >> > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > SecRule "&TX:dos_block_timeout" "@eq 0" >> > >> > SecAction >> > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > >> > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > %{tx.inbound_anomaly_score_threshold}" >> > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, >> %{TX.ANOMALY_SCORE_PL2}, >> > %{TX.ANO >> > MALY_SCORE_PL3}, >> > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > >> > SecAction >> > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > >> > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > %{tx.outbound_anomaly_score_threshold}" >> > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > individual paranoia level scores: %{TX.OUTBO >> > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > >> > --7337282c-Z-- >> > >> > Thanks for any help anyone can offer. >> > >> > Sent with Proton Mail secure email. >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: O L. <ne...@pr...> - 2022-11-09 16:39:28
|
I understand the logging parts (I turned on additional parts to try to understand why harmless requests are being placed in the audit log), but why was this particular HTTP request put into the audit log at all? What was "wrong" with it? Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, November 9th, 2022 at 10:30 AM, <az...@po...> wrote: > Hi, > > what is logged depends on SecAuditLogParts directive in > modsecurity.conf. For more info, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > azurit > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > Hello, > > > > I'm trying to learn to appreciate modsecurity but everything about > > it is frustrating and confusing to me. I thought I'd try reaching > > out in hopes someone could help -- this is my last hope before I > > give up and turn it off. > > > > I am using DetectionOnly mode > > > > What was this put in the audit log? Why are there so many rules > > listed? Why can't it just tell me simply what rule triggered the > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > bug? > > > > --7337282c-A-- > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > (REMOTE_IP) 56866 (MY_IP) 443 > > --7337282c-B-- > > GET / HTTP/1.0 > > > > --7337282c-F-- > > HTTP/1.1 308 Permanent Redirect > > Expect-CT: max-age=604800, enforce, > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > Referrer-Policy: unsafe-url > > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > > X-Content-Type-Options: nosniff > > X-Frame-Options: SAMEORIGIN > > X-XSS-Protection: 1; mode=block > > Location: https://othersite/ > > Content-Length: 428 > > Connection: close > > Content-Type: text/html; charset=iso-8859-1 > > > > --7337282c-E-- > > > > --7337282c-H-- > > Stopwatch: 1668000670057655 23939 (- - -) > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.9.5 > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > Engine-Mode: "DETECTION_ONLY" > > > > --7337282c-K-- > > SecAction > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > SecRule "&TX:paranoia_level" "@eq 0" > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > SecRule "&TX:do_reput_block" "@eq 0" > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > SecRule "&TX:allowed_methods" "@eq 0" > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST > > OPTIONS'" > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| > > |application/x > > ml| |application/soap+xml| |application/x-amf| |application/json| > > |application/cloudevents+json| |application/cloudevents-batch+json| > > |application/octet-stream| |application/csp-report| > > |application/xss-auditor-report| |text/plain|'" > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 > > HTTP/2.0'" > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ > > .dat > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > SecRule "&TX:restricted_headers" "@eq 0" > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ > > /if/'" > > > > SecRule "&TX:static_extensions" "@eq 0" > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ > > /.webp/'" > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > SecAction > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > SecAction > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > SecRule "TX:sampling_percentage" "@eq 100" > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > "@eq 0" > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > "@eq 0" > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > "@eq 0" > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > 0" > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > %{MATCHED_VAR_NAME}: > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > in.{0,50}?\\bApplication\\b" > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > SecAction > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > %{tx.inbound_anomaly_score_threshold}" > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, > > %{TX.ANO > > MALY_SCORE_PL3}, > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > SecAction > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > %{tx.outbound_anomaly_score_threshold}" > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > individual paranoia level scores: %{TX.OUTBO > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > --7337282c-Z-- > > > > Thanks for any help anyone can offer. > > > > Sent with Proton Mail secure email. > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <az...@po...> - 2022-11-09 16:30:48
|
Hi, what is logged depends on SecAuditLogParts directive in modsecurity.conf. For more info, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts azurit Citát O Lányi via mod-security-users <mod...@li...>: > Hello, > > I'm trying to learn to appreciate modsecurity but everything about > it is frustrating and confusing to me. I thought I'd try reaching > out in hopes someone could help -- this is my last hope before I > give up and turn it off. > > I am using DetectionOnly mode > > What was this put in the audit log? Why are there so many rules > listed? Why can't it just tell me simply what rule triggered the > inclusion in the log, rather than 75 lines of gibberish? Is this a > bug? > > --7337282c-A-- > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > (REMOTE_IP) 56866 (MY_IP) 443 > --7337282c-B-- > GET / HTTP/1.0 > > --7337282c-F-- > HTTP/1.1 308 Permanent Redirect > Expect-CT: max-age=604800, enforce, > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > Referrer-Policy: unsafe-url > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Location: https://othersite/ > Content-Length: 428 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --7337282c-E-- > > --7337282c-H-- > Stopwatch: 1668000670057655 23939 (- - -) > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.9.5 > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > Engine-Mode: "DETECTION_ONLY" > > --7337282c-K-- > SecAction > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > SecRule "&TX:paranoia_level" "@eq 0" > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > SecRule "&TX:executing_paranoia_level" "@eq 0" > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > SecRule "&TX:sampling_percentage" "@eq 0" > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > SecRule "&TX:critical_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > SecRule "&TX:error_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > SecRule "&TX:warning_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > SecRule "&TX:notice_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > SecRule "&TX:do_reput_block" "@eq 0" > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > SecRule "&TX:reput_block_duration" "@eq 0" > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > SecRule "&TX:allowed_methods" "@eq 0" > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST > OPTIONS'" > > SecRule "&TX:allowed_request_content_type" "@eq 0" > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| > |application/x > ml| |application/soap+xml| |application/x-amf| |application/json| > |application/cloudevents+json| |application/cloudevents-batch+json| > |application/octet-stream| |application/csp-report| > |application/xss-auditor-report| |text/plain|'" > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > SecRule "&TX:allowed_http_versions" "@eq 0" > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 > HTTP/2.0'" > > SecRule "&TX:restricted_extensions" "@eq 0" > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ > .dat > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > SecRule "&TX:restricted_headers" "@eq 0" > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ > /if/'" > > SecRule "&TX:static_extensions" "@eq 0" > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ > /.webp/'" > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > SecAction > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > SecAction > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > SecRule "TX:sampling_percentage" "@eq 100" > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > "@eq 0" > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > "@eq 0" > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > "@eq 0" > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > 0" > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > SecRule "&TX:dos_block_timeout" "@eq 0" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > Information Leakage',logdata:'Matched Data: %{TX.0} found within > %{MATCHED_VAR_NAME}: > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > in.{0,50}?\\bApplication\\b" > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > SecRule "&TX:dos_block_timeout" "@eq 0" > > SecAction > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > %{tx.inbound_anomaly_score_threshold}" > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, > %{TX.ANO > MALY_SCORE_PL3}, > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > SecAction > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > %{tx.outbound_anomaly_score_threshold}" > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > individual paranoia level scores: %{TX.OUTBO > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > --7337282c-Z-- > > Thanks for any help anyone can offer. > > Sent with [Proton Mail](https://proton.me/) secure email. |
From: O L. <ne...@pr...> - 2022-11-09 16:23:54
|
Hello, I'm trying to learn to appreciate modsecurity but everything about it is frustrating and confusing to me. I thought I'd try reaching out in hopes someone could help -- this is my last hope before I give up and turn it off. I am using DetectionOnly mode What was this put in the audit log? Why are there so many rules listed? Why can't it just tell me simply what rule triggered the inclusion in the log, rather than 75 lines of gibberish? Is this a bug? --7337282c-A-- [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc (REMOTE_IP) 56866 (MY_IP) 443 --7337282c-B-- GET / HTTP/1.0 --7337282c-F-- HTTP/1.1 308 Permanent Redirect Expect-CT: max-age=604800, enforce, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Referrer-Policy: unsafe-url Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Location: https://othersite/ Content-Length: 428 Connection: close Content-Type: text/html; charset=iso-8859-1 --7337282c-E-- --7337282c-H-- Stopwatch: 1668000670057655 23939 (- - -) Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2. Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 Engine-Mode: "DETECTION_ONLY" --7337282c-K-- SecAction "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" SecRule "&TX:paranoia_level" "@eq 0" "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" SecRule "&TX:executing_paranoia_level" "@eq 0" "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" SecRule "&TX:sampling_percentage" "@eq 0" "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" SecRule "&TX:critical_anomaly_score" "@eq 0" "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" SecRule "&TX:error_anomaly_score" "@eq 0" "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" SecRule "&TX:warning_anomaly_score" "@eq 0" "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" SecRule "&TX:notice_anomaly_score" "@eq 0" "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" SecRule "&TX:do_reput_block" "@eq 0" "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" SecRule "&TX:reput_block_duration" "@eq 0" "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" SecRule "&TX:allowed_methods" "@eq 0" "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" SecRule "&TX:allowed_request_content_type" "@eq 0" "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/x ml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" SecRule "&TX:allowed_request_content_type_charset" "@eq 0" "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" SecRule "&TX:allowed_http_versions" "@eq 0" "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" SecRule "&TX:restricted_extensions" "@eq 0" "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" SecRule "&TX:restricted_headers" "@eq 0" "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'" SecRule "&TX:static_extensions" "@eq 0" "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" SecAction "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" SecAction "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" SecRule "TX:sampling_percentage" "@eq 100" "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" "@eq 0" "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" "@eq 0" "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" "@eq 0" "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq 0" "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" SecRule "&TX:dos_block_timeout" "@eq 0" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" SecRule "RESPONSE_STATUS" "!@rx ^404$" "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" #SecRule "RESPONSE_BODY" "@rx \\bServer Error in.{0,50}?\\bApplication\\b" "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule "TX:PARANOIA_LEVEL" "@ge 1" "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" SecRule "&TX:dos_block_timeout" "@eq 0" SecAction "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt %{tx.inbound_anomaly_score_threshold}" "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANO MALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" SecAction "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt %{tx.outbound_anomaly_score_threshold}" "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBO UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" --7337282c-Z-- Thanks for any help anyone can offer. Sent with [Proton Mail](https://proton.me/) secure email. |
From: Christian F. <chr...@ne...> - 2022-10-20 13:49:51
|
Ah, sweet. Had forgotten about this. Thanks azurit! On Thu, Oct 20, 2022 at 03:27:22PM +0200, az...@po... wrote: > Hi! > > > One idea I’m toying with is creating an interstitial page similar to > > Cloudflare’s “Checking your browser..” page. For ASNs which are > > problematic it would be a bit safer to force someone to perform a > > hCaptcha or something check before they can get through to the intended > > site and set a cookie. I think this might be possible but a little bit > > difficult to create entirely using mod_security though, so I’m thinking > > about writing a new (and relatively simple) Apache module. I’d love to > > hear if someone has already done this! > > > My ModSecurity reCAPTCHA library may help you with this, check it out (needs > Lua support in ModSec): > https://github.com/azurit/modsecurity-recaptcha > > > azurit > > > > > > > Joel > > > > > On 19 Oct 2022, at 12:04 am, Christian Folini > > > <chr...@ne...> wrote: > > > > > > Hi there, > > > > > > During the years, I have found the use of GeoIP (& ASN) information in > > > #ModSecurity / @CoreRuleSet very useful. Yet very few people do > > > this for GeoIP and practically nobody for ASN. > > > > > > It really helps to weed out false positives or defend in case of certain > > > persistent attacks. > > > > > > Since good documentation on the subject is scare, here is how to get this > > > into your setup: > > > > > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also > > > covered in my 2nd webcast last week: > > > https://www.youtube.com/watch?v=OBVwdqEFmX0) > > > > > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus some > > > additional interesting stuff): > > > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > > > > > Best, > > > > > > Christian > > > > > > > > > -- > > > Ultimately, motivation gets us started, > > > but discipline and habit are what enable us to finish. > > > -- Matthew Helmke > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: <az...@po...> - 2022-10-20 13:45:20
|
Hi! > One idea I’m toying with is creating an interstitial page similar to > Cloudflare’s “Checking your browser..” page. For ASNs which are > problematic it would be a bit safer to force someone to perform a > hCaptcha or something check before they can get through to the > intended site and set a cookie. I think this might be possible but a > little bit difficult to create entirely using mod_security though, > so I’m thinking about writing a new (and relatively simple) Apache > module. I’d love to hear if someone has already done this! My ModSecurity reCAPTCHA library may help you with this, check it out (needs Lua support in ModSec): https://github.com/azurit/modsecurity-recaptcha azurit > > Joel > >> On 19 Oct 2022, at 12:04 am, Christian Folini >> <chr...@ne...> wrote: >> >> Hi there, >> >> During the years, I have found the use of GeoIP (& ASN) information in >> #ModSecurity / @CoreRuleSet very useful. Yet very few people do >> this for GeoIP and practically nobody for ASN. >> >> It really helps to weed out false positives or defend in case of certain >> persistent attacks. >> >> Since good documentation on the subject is scare, here is how to get this >> into your setup: >> >> https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: >> https://www.youtube.com/watch?v=OBVwdqEFmX0) >> >> I have also covered this in my 2nd ModSec / CRS webcast last week (plus some >> additional interesting stuff): >> https://www.youtube.com/watch?v=OBVwdqEFmX0 >> >> Best, >> >> Christian >> >> >> -- >> Ultimately, motivation gets us started, >> but discipline and habit are what enable us to finish. >> -- Matthew Helmke >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Christian F. <chr...@ne...> - 2022-10-19 07:25:25
|
Hey Joel, On Wed, Oct 19, 2022 at 11:50:45AM +1030, Joel Williams wrote: > Thanks Christian! I enjoyed the article. Thank you very much. One gets very little feedback for technical blog posts. So this is very much appreciated. > I agree that ASN is underrated - I get a lot of scans from well-known and > generally reputable cloud providers which operate in multiple countries, and > blocking these providers seems like a much safer way to avoid false > positives than doing it by country. However there is still a risk that > people are using personal VPSes to run proxies or have good reasons to use > services like Tor. While this is probably not a very significant proportion > of people I’m reluctant to block access to customer sites outright with no > recourse for these users. On the other hand, blocking access by these ASNs > to specific resources like the WordPress wp-login.php page would probably be > OK. I do not block by ASN and I do not recommend doing it. Yet I skip some of them when doing false positive analysis. Meaning, it's OK to use DigitalOcean as your personal VPN provider, but when you hit a false positive on my website, chances are I won't react to it without a call. Maybe I'll follow up with a blog post on mean anomaly scores per ASN on the netnea website. It's staggering how 2-3 ASNs are really topping. Mean incoming anomaly score across the entire log: 0.13 US ASN 53667: PONYNET: Mean anomaly score of 3! What is also interesting - but bumps into the same TOR / VPN problem - is to check User-Agents against ASNs. So you're pretending to be a Mozilla (=any Browser), yet you live on a server ASN ... > One idea I’m toying with is creating an interstitial page similar to > Cloudflare’s “Checking your browser..” page. For ASNs which are problematic > it would be a bit safer to force someone to perform a hCaptcha or something > check before they can get through to the intended site and set a cookie. I > think this might be possible but a little bit difficult to create entirely > using mod_security though, so I’m thinking about writing a new (and > relatively simple) Apache module. I’d love to hear if someone has already > done this! Ah, the sweet promises of anti-automation. :) I'm sure this has been done, but I have not seen a public description how to pull it off with open source tools. Yet I do not think it would be very complicated with ModSec. Pseudo-Code: * ModSec Rule: if suspicious ASN and no cookie: redirect to Captcha * Captcha Page: if successful captcha: set cookie Suspicious ASNs in separate file (-> @pmFromFile). I guess that's all. Now that I think about it, it sounds as if it would make for a lovely blog post. This presentation here as more ideas that could be harvested and implemented in ModSecurity: https://www.youtube.com/watch?v=XKkyvO2rQ-E (Don't let the title fool you, a lot of it is about anti-automation. And it's a great talk btw) All together this could make an interesting anti-automation CRS plugin. Best! Christian > > Joel > > > On 19 Oct 2022, at 12:04 am, Christian Folini > > <chr...@ne...> wrote: > > > > Hi there, > > > > During the years, I have found the use of GeoIP (& ASN) information in > > #ModSecurity / @CoreRuleSet very useful. Yet very few people do this for > > GeoIP and practically nobody for ASN. > > > > It really helps to weed out false positives or defend in case of certain > > persistent attacks. > > > > Since good documentation on the subject is scare, here is how to get this > > into your setup: > > > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also > > covered in my 2nd webcast last week: > > https://www.youtube.com/watch?v=OBVwdqEFmX0) > > > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus > > some additional interesting stuff): > > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > > > Best, > > > > Christian > > > > > > -- Ultimately, motivation gets us started, but discipline and habit are > > what enable us to finish. -- Matthew Helmke > > > > > > _______________________________________________ mod-security-users mailing > > list mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > > ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ mod-security-users mailing > list mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Joel W. <jo...@jo...> - 2022-10-19 01:38:02
|
Thanks Christian! I enjoyed the article. I agree that ASN is underrated - I get a lot of scans from well-known and generally reputable cloud providers which operate in multiple countries, and blocking these providers seems like a much safer way to avoid false positives than doing it by country. However there is still a risk that people are using personal VPSes to run proxies or have good reasons to use services like Tor. While this is probably not a very significant proportion of people I’m reluctant to block access to customer sites outright with no recourse for these users. On the other hand, blocking access by these ASNs to specific resources like the WordPress wp-login.php page would probably be OK. One idea I’m toying with is creating an interstitial page similar to Cloudflare’s “Checking your browser..” page. For ASNs which are problematic it would be a bit safer to force someone to perform a hCaptcha or something check before they can get through to the intended site and set a cookie. I think this might be possible but a little bit difficult to create entirely using mod_security though, so I’m thinking about writing a new (and relatively simple) Apache module. I’d love to hear if someone has already done this! Joel > On 19 Oct 2022, at 12:04 am, Christian Folini <chr...@ne...> wrote: > > Hi there, > > During the years, I have found the use of GeoIP (& ASN) information in > #ModSecurity / @CoreRuleSet very useful. Yet very few people do > this for GeoIP and practically nobody for ASN. > > It really helps to weed out false positives or defend in case of certain > persistent attacks. > > Since good documentation on the subject is scare, here is how to get this > into your setup: > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: https://www.youtube.com/watch?v=OBVwdqEFmX0) > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus some > additional interesting stuff): > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > Best, > > Christian > > > -- > Ultimately, motivation gets us started, > but discipline and habit are what enable us to finish. > -- Matthew Helmke > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Christian F. <chr...@ne...> - 2022-10-18 13:34:38
|
Hi there, During the years, I have found the use of GeoIP (& ASN) information in #ModSecurity / @CoreRuleSet very useful. Yet very few people do this for GeoIP and practically nobody for ASN. It really helps to weed out false positives or defend in case of certain persistent attacks. Since good documentation on the subject is scare, here is how to get this into your setup: https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: https://www.youtube.com/watch?v=OBVwdqEFmX0) I have also covered this in my 2nd ModSec / CRS webcast last week (plus some additional interesting stuff): https://www.youtube.com/watch?v=OBVwdqEFmX0 Best, Christian -- Ultimately, motivation gets us started, but discipline and habit are what enable us to finish. -- Matthew Helmke |