Re: [mod-security-users] Why was this request put in the audit log?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Why was this request put in the audit log?
|
From: O L. <ne...@pr...> - 2022-11-12 00:42:12
|
modsecurity.conf: https://pastebin.com/ZggGuyKG crs-setup.conf: https://pastebin.com/s11sF0pj It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason testing with curl: HTTP/1.0 HTTPS with no host header = LOGGED HTTP/1.0 HTTPS with host header = not logged HTTP/1.0 HTTP with no host header = not logged HTTP/1.0 HTTP with host header = not logged HTTP/1.1 HTTPS with no host header = not logged HTTP/1.1 HTTPS with host header = not logged HTTP/1.1 HTTP with no host header = not logged HTTP/1.1 HTTP with host header = not logged but why? Sent with Proton Mail secure email. ------- Original Message ------- On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > Can you upload your modsecurity.conf and crs-setup.conf somewhere? > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > It's already set like that. > > > > ------- Original Message ------- > > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: > > > > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > The response was a 308. 99.999% of 308's are not put in the audit > > > > log. Why was this specific one put in the audit log? > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > ------- Original Message ------- > > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > > > > > This depends on the HTTP status code - logged are all requests with > > > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > > > blocked may be logged). For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > > > azurit > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > mod...@li...: > > > > > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > > > to understand why harmless requests are being placed in the audit > > > > > > log), but why was this particular HTTP request put into the audit > > > > > > log at all? What was "wrong" with it? > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > ------- Original Message ------- > > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > > > modsecurity.conf. For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > > > azurit > > > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > > mod...@li...: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > > > give up and turn it off. > > > > > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > > > bug? > > > > > > > > > > > > > > > > --7337282c-A-- > > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > > > --7337282c-B-- > > > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > > > > > --7337282c-F-- > > > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > > > includeSubDomains; preload > > > > > > > > X-Content-Type-Options: nosniff > > > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > > > X-XSS-Protection: 1; mode=block > > > > > > > > Location: https://othersite/ > > > > > > > > Content-Length: 428 > > > > > > > > Connection: close > > > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > > > > > --7337282c-H-- > > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > > > Response-Body-Transformed: Dechunked > > > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > > > > > --7337282c-K-- > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > > > > > > HEAD > > > > > > > > > > > > POST > > > > > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| > > > |multipart/form-data| > > > > > > > > |multipart/related| > > > > > > > > > > > > |text/xml| > > > > > > > > > > > > > > > |application/x > > > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > > > |application/cloudevents+json| > > > > > > > > |application/cloudevents-batch+json| > > > > > > > > |application/octet-stream| |application/csp-report| > > > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > > > > > > HTTP/1.1 > > > > > > > > > > > > HTTP/2 > > > > > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > > > .cs/ > > > > > > > > .csproj/ > > > > > > > > > > > > .csr/ > > > > > > > > > > > > > > > .dat > > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ > > > > > > > > .vbs/ .vbproj/ > > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > > > > > > /lock-token/ > > > > > > > > > > > > /content-range/ > > > > > > > > > > > > > > > /if/'" > > > > > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ > > > /.css/ > > > > > > > > /.ico/ > > > > > > > > > > > > /.svg/ > > > > > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx > > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > > > %{MATCHED_VAR_NAME}: > > > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level > > > scores: > > > > > > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > > > > > %{TX.ANO > > > > > > > > MALY_SCORE_PL3}, > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
