[mod-security-users] Modsec v3 severity not logged properly

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I’m having some issues with modsecurity 3 nginx connector,  in the rules, the severity is properly set, like “CRITICAL”, "WARNING", "NOTICE", but when is logged in the audit logs, the severity comes with the id and not with the "name".

I’m expecting: “severity”: “CRITICAL”
I’m getting: “ severity”: “2”

Does anyone know how to solve this ?, maybe I’m missing an option in the config file...

{"transaction":{"client_ip":"192.168.104.1","time_stamp":"Tue Aug 14 16:17:41 2018","server_id":"43207054df5b4474bc005b6ead41801dd55b95f8","client_port":56856,"host_ip":"192.168.104.1","host_port":80,"id":"153427786186.625665","request":{"method":"GET","http_version":1.1,"uri":"/favicon.ico","body":"","headers":{"Host":"www.test.com","Connection":"keep-alive","Pragma":"no-cache","Cache-Control":"no-cache","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36","Cookie":"_ga=GA1.2.822423841.1533594347; __utmz=129959823.1533594349.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _gid=GA1.2.1519461480.1534272702; __utma=129959823.822423841.1533594347.1533854693.1534272702.5; __utmc=129959823","Accept":"image/webp,image/apng,image/*,*/*;q=0.8","Referer":"http://www.test.com/?s=sdsd%3Cscript%3Ealert();%3C/S","Accept-Encoding":"gzip, deflate","Accept-Language":"en-US,en;q=0.9,es;q=0.8"}},"response":{"http_code":403},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"XSS Filter - Category 1: Script Tag Vector","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)([<＜]script[^>＞]*[>＞][\\s\\S]*?)' against variable `REQUEST_HEADERS:Referer' (Value: `http://www.test.com/?s=sdsd%3Cscript%3Ealert();%3C/S' )","reference":"o30,8o30,8v303,55t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls","ruleId":"941110","file":"/opt/waf/nginx/etc/modsec_rules/www.test.com/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf","lineNumber":"63","data":"Matched Data: <script> found within REQUEST_HEADERS:Referer: http://www.test.com/?s=sdsd%3Cscript%3Ealert();%3C/S","severity":"2","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-xss","OWASP_CRS/WEB_ATTACK/XSS","WASCTC/WASC-8","WASCTC/WASC-22","OWASP_TOP_10/A3","OWASP_AppSensor/IE1","CAPEC-242"],"maturity":"4","accuracy":"9"}}]}}

Cheers.
Chris.