[mod-security-users] ModSec and Nginx only see log entry for rule id 949110
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] ModSec and Nginx only see log entry for rule id 949110
|
From: Dan O. <dan...@po...> - 2019-01-25 16:43:17
|
Hi all, We have modsecurity 3.0.2 being used by nginx 1.14.0 via the modsecurity/nginx connector. We are using the core rule set 3.0.2 configured for anomaly scoring. The following is being blocked by modsecurity: 2019/01/24 10:17:52 [warn] 22326#0: *120 [client 172.16.17.54] ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "172.16.17.54"] [uri "/api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd"] [unique_id "154834307287.337943"] [ref ""], client: 172.16.17.54, server: stress-secure-pointillist.altidev.net, request: "DELETE /api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd HTTP/1.1", host: "stress-secure-pointillist.altidev.net", referrer: " https://test.pointillist.com/studio/story/d5fac22e-e0eb-49ea-8297-a0ec11ce1149 " But I do not see any other log message in either the nginx error.log or the modsecurity audit log. As rule 949110 is the rule which determines whether or not the anomaly score is high enough to be blocked, I would expect to see more context in one or both of those files. That is, I would expect to see one or more log message for the rules that triggered the high anomaly score. I have set DELETE to an allowed header in the crs-setup.conf file: SecAction \ "id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" I have also enabled audit logging in the modsecurity.conf file: SecAuditEngine On SecAuditLogRelevantStatus "^(?:5|4(?!04))" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHKZ SecAuditLogType Serial SecAuditLog /var/log/nginx/modsec_audit.log Thanks, Dan -- DevOps Engineer Pointillist, Inc |
