|
From: Gregory L. <gr...@cl...> - 2019-01-25 20:12:54
|
Hi Dan, Just a guess, but what happens if you change the nginx *error_log* severity level to *info* and restart (rather than reload) nginx? Granted that I don't know what you may already have the nginx log level set to and whether the fact that you already see the "Anomaly Score Exceeded" message disrupts my theory, but, again, just a guess. Gregory On Fri, Jan 25, 2019 at 8:45 AM Dan Oppenheimer < dan...@po...> wrote: > Hi all, > > We have modsecurity 3.0.2 being used by nginx 1.14.0 via the > modsecurity/nginx connector. We are using the core rule set 3.0.2 > configured for anomaly scoring. The following is being blocked by > modsecurity: > > 2019/01/24 10:17:52 [warn] 22326#0: *120 [client 172.16.17.54] > ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against > variable `TX:ANOMALY_SCORE' (Value: `10' ) [file > "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded > (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] > [accuracy "0"] [hostname "172.16.17.54"] [uri > "/api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd"] > [unique_id "154834307287.337943"] [ref ""], client: 172.16.17.54, server: > stress-secure-pointillist.altidev.net, request: "DELETE > /api/auto-engagement/list/b107e2c8-b4e4-470a-b10d-025b11b376cd HTTP/1.1", > host: "stress-secure-pointillist.altidev.net", referrer: " > https://test.pointillist.com/studio/story/d5fac22e-e0eb-49ea-8297-a0ec11ce1149 > " > > But I do not see any other log message in either the nginx error.log or > the modsecurity audit log. As rule 949110 is the rule which determines > whether or not the anomaly score is high enough to be blocked, I would > expect to see more context in one or both of those files. That is, I would > expect to see one or more log message for the rules that triggered the high > anomaly score. I have set DELETE to an allowed header in the > crs-setup.conf file: > > SecAction \ > "id:900200,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'" > > I have also enabled audit logging in the modsecurity.conf file: > > SecAuditEngine On > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > # Log everything we know about a transaction. > SecAuditLogParts ABIJDEFHKZ > > SecAuditLogType Serial > SecAuditLog /var/log/nginx/modsec_audit.log > > Thanks, > > Dan > -- > DevOps Engineer > Pointillist, Inc > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
