mod-security-users Mailing List for ModSecurity (Page 5)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <az...@po...> - 2022-11-12 06:46:00
|
You said you are only learning ModSecurity so you should NOT modify advanced settings like SecAuditLogRelevantStatus and SecAuditLogParts. I suggest you to use default values at least for these two because what you are experiencing is probably some kind of misconfiguration. SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIJDEFHZ Also, disable SecStatusEngine as it already doesn't work (as ModSecurity authors disabled server side part of this service). Citát O Lányi via mod-security-users <mod...@li...>: > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have > a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > > >> Can you upload your modsecurity.conf and crs-setup.conf somewhere? >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > It's already set like that. >> > >> > ------- Original Message ------- >> > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: >> > >> > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > The response was a 308. 99.999% of 308's are not put in the audit >> > > > log. Why was this specific one put in the audit log? >> > > > >> > > > Sent with Proton Mail secure email. >> > > > >> > > > ------- Original Message ------- >> > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >> > > > >> > > > > This depends on the HTTP status code - logged are all requests with >> > > > > status code that matches regexp set in SecAuditLogRelevantStatus >> > > > > directive in modsecurity.conf (i.e. also requests that were NOT >> > > > > blocked may be logged). For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> > > >> > > > > azurit >> > > > > >> > > > > Citát O Lányi via mod-security-users >> > > > > mod...@li...: >> > > > > >> > > > > > I understand the logging parts (I turned on additional >> parts to try >> > > > > > to understand why harmless requests are being placed in the audit >> > > > > > log), but why was this particular HTTP request put into the audit >> > > > > > log at all? What was "wrong" with it? >> > > > > > >> > > > > > Sent with Proton Mail secure email. >> > > > > > >> > > > > > ------- Original Message ------- >> > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, >> az...@po... wrote: >> > > > > > >> > > > > > > Hi, >> > > > > > > >> > > > > > > what is logged depends on SecAuditLogParts directive in >> > > > > > > modsecurity.conf. For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > > > > > azurit >> > > > > > > >> > > > > > > Citát O Lányi via mod-security-users >> > > > > > > mod...@li...: >> > > > > > > >> > > > > > > > Hello, >> > > > > > > > >> > > > > > > > I'm trying to learn to appreciate modsecurity but >> everything about >> > > > > > > > it is frustrating and confusing to me. I thought I'd >> try reaching >> > > > > > > > out in hopes someone could help -- this is my last >> hope before I >> > > > > > > > give up and turn it off. >> > > > > > > > >> > > > > > > > I am using DetectionOnly mode >> > > > > > > > >> > > > > > > > What was this put in the audit log? Why are there so >> many rules >> > > > > > > > listed? Why can't it just tell me simply what rule >> triggered the >> > > > > > > > inclusion in the log, rather than 75 lines of >> gibberish? Is this a >> > > > > > > > bug? >> > > > > > > > >> > > > > > > > --7337282c-A-- >> > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] >> Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > > > > > --7337282c-B-- >> > > > > > > > GET / HTTP/1.0 >> > > > > > > > >> > > > > > > > --7337282c-F-- >> > > > > > > > HTTP/1.1 308 Permanent Redirect >> > > > > > > > Expect-CT: max-age=604800, enforce, >> > > > > >> > > > > >> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > > > >> > > > > > > > Referrer-Policy: unsafe-url >> > > > > > > > Strict-Transport-Security: max-age=31536000; >> > > > > > > > includeSubDomains; preload >> > > > > > > > X-Content-Type-Options: nosniff >> > > > > > > > X-Frame-Options: SAMEORIGIN >> > > > > > > > X-XSS-Protection: 1; mode=block >> > > > > > > > Location: https://othersite/ >> > > > > > > > Content-Length: 428 >> > > > > > > > Connection: close >> > > > > > > > Content-Type: text/html; charset=iso-8859-1 >> > > > > > > > >> > > > > > > > --7337282c-E-- >> > > > > > > > >> > > > > > > > --7337282c-H-- >> > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, >> p1=578, p2=0, >> > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > > > > > Response-Body-Transformed: Dechunked >> > > > > > > > Producer: ModSecurity for Apache/2.9.5 >> > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > > > > > Engine-Mode: "DETECTION_ONLY" >> > > > > > > > >> > > > > > > > --7337282c-K-- >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> > > >> > > > > HEAD >> > > > > >> > > > > > > POST >> > > > > > > >> > > > > > > > OPTIONS'" >> > > > > > > > >> > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >> > > |multipart/form-data| >> > > >> > > > > |multipart/related| >> > > > > >> > > > > > > |text/xml| >> > > > > > > >> > > > > > > > |application/x >> > > > > > > > ml| |application/soap+xml| |application/x-amf| >> |application/json| >> > > > > > > > |application/cloudevents+json| >> > > > > > > > |application/cloudevents-batch+json| >> > > > > > > > |application/octet-stream| |application/csp-report| >> > > > > > > > |application/xss-auditor-report| |text/plain|'" >> > > > > > > > >> > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> > > >> > > > > HTTP/1.1 >> > > > > >> > > > > > > HTTP/2 >> > > > > > > >> > > > > > > > HTTP/2.0'" >> > > > > > > > >> > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ >> .conf/ >> > > .cs/ >> > > >> > > > > .csproj/ >> > > > > >> > > > > > > .csr/ >> > > > > > > >> > > > > > > > .dat >> > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ >> .idq/ .inc/ .ini/ >> > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ >> .pol/ .printer/ >> > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >> > > > > > > > .vbs/ .vbproj/ >> > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> > > >> > > > > /lock-token/ >> > > > > >> > > > > > > /content-range/ >> > > > > > > >> > > > > > > > /if/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ >> /.js/ >> > > /.css/ >> > > >> > > > > /.ico/ >> > > > > >> > > > > > > /.svg/ >> > > > > > > >> > > > > > > > /.webp/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx >> > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > > > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > > > > > >> "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} >> found within >> > > > > > > > %{MATCHED_VAR_NAME}: >> > > > > > > > >> %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > > > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > > > >> > > > > > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > > > > > >> > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > > > > > %{tx.inbound_anomaly_score_threshold}" >> > > > > > > > >> "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia >> level >> > > scores: >> > > >> > > > > %{TX.ANOMALY_SCORE_PL1}, >> > > > > >> > > > > > > %{TX.ANOMALY_SCORE_PL2}, >> > > > > > > >> > > > > > > > %{TX.ANO >> > > > > > > > MALY_SCORE_PL3}, >> > > >> > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > > > >> > > > > > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > > > > > %{tx.outbound_anomaly_score_threshold}" >> > > >> > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > >> > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > > > > > individual paranoia level scores: %{TX.OUTBO >> > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > > > >> > > > > > > > --7337282c-Z-- >> > > > > > > > >> > > > > > > > Thanks for any help anyone can offer. >> > > > > > > > >> > > > > > > > Sent with Proton Mail secure email. >> > > > > > > >> > > > > > > _______________________________________________ >> > > > > > > mod-security-users mailing list >> > > > > > > mod...@li... >> > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> > > > > > > SpiderLabs: >> > > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > > >> > > > > > _______________________________________________ >> > > > > > mod-security-users mailing list >> > > > > > mod...@li... >> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > >> > > > > _______________________________________________ >> > > > > mod-security-users mailing list >> > > > > mod...@li... >> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > >> > > > _______________________________________________ >> > > > mod-security-users mailing list >> > > > mod...@li... >> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: O L. <ne...@pr...> - 2022-11-12 00:42:12
|
modsecurity.conf: https://pastebin.com/ZggGuyKG crs-setup.conf: https://pastebin.com/s11sF0pj It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason testing with curl: HTTP/1.0 HTTPS with no host header = LOGGED HTTP/1.0 HTTPS with host header = not logged HTTP/1.0 HTTP with no host header = not logged HTTP/1.0 HTTP with host header = not logged HTTP/1.1 HTTPS with no host header = not logged HTTP/1.1 HTTPS with host header = not logged HTTP/1.1 HTTP with no host header = not logged HTTP/1.1 HTTP with host header = not logged but why? Sent with Proton Mail secure email. ------- Original Message ------- On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > Can you upload your modsecurity.conf and crs-setup.conf somewhere? > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > It's already set like that. > > > > ------- Original Message ------- > > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: > > > > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > The response was a 308. 99.999% of 308's are not put in the audit > > > > log. Why was this specific one put in the audit log? > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > ------- Original Message ------- > > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > > > > > This depends on the HTTP status code - logged are all requests with > > > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > > > blocked may be logged). For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > > > azurit > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > mod...@li...: > > > > > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > > > to understand why harmless requests are being placed in the audit > > > > > > log), but why was this particular HTTP request put into the audit > > > > > > log at all? What was "wrong" with it? > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > ------- Original Message ------- > > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > > > modsecurity.conf. For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > > > azurit > > > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > > mod...@li...: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > > > give up and turn it off. > > > > > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > > > bug? > > > > > > > > > > > > > > > > --7337282c-A-- > > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > > > --7337282c-B-- > > > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > > > > > --7337282c-F-- > > > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > > > includeSubDomains; preload > > > > > > > > X-Content-Type-Options: nosniff > > > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > > > X-XSS-Protection: 1; mode=block > > > > > > > > Location: https://othersite/ > > > > > > > > Content-Length: 428 > > > > > > > > Connection: close > > > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > > > > > --7337282c-H-- > > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > > > Response-Body-Transformed: Dechunked > > > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > > > > > --7337282c-K-- > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > > > > > > HEAD > > > > > > > > > > > > POST > > > > > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| > > > |multipart/form-data| > > > > > > > > |multipart/related| > > > > > > > > > > > > |text/xml| > > > > > > > > > > > > > > > |application/x > > > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > > > |application/cloudevents+json| > > > > > > > > |application/cloudevents-batch+json| > > > > > > > > |application/octet-stream| |application/csp-report| > > > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > > > > > > HTTP/1.1 > > > > > > > > > > > > HTTP/2 > > > > > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > > > .cs/ > > > > > > > > .csproj/ > > > > > > > > > > > > .csr/ > > > > > > > > > > > > > > > .dat > > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ > > > > > > > > .vbs/ .vbproj/ > > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > > > > > > /lock-token/ > > > > > > > > > > > > /content-range/ > > > > > > > > > > > > > > > /if/'" > > > > > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ > > > /.css/ > > > > > > > > /.ico/ > > > > > > > > > > > > /.svg/ > > > > > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx > > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > > > %{MATCHED_VAR_NAME}: > > > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level > > > scores: > > > > > > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > > > > > %{TX.ANO > > > > > > > > MALY_SCORE_PL3}, > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-11 09:51:31
|
Can you upload your modsecurity.conf and crs-setup.conf somewhere? Citát O Lányi via mod-security-users <mod...@li...>: > It's already set like that. > > > > > ------- Original Message ------- > On Thursday, November 10th, 2022 at 4:39 AM, <az...@po...> wrote: > > >> Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > The response was a 308. 99.999% of 308's are not put in the audit >> > log. Why was this specific one put in the audit log? >> > >> > Sent with Proton Mail secure email. >> > >> > ------- Original Message ------- >> > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >> > >> > > This depends on the HTTP status code - logged are all requests with >> > > status code that matches regexp set in SecAuditLogRelevantStatus >> > > directive in modsecurity.conf (i.e. also requests that were NOT >> > > blocked may be logged). For more info, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> > > >> > > azurit >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > I understand the logging parts (I turned on additional parts to try >> > > > to understand why harmless requests are being placed in the audit >> > > > log), but why was this particular HTTP request put into the audit >> > > > log at all? What was "wrong" with it? >> > > > >> > > > Sent with Proton Mail secure email. >> > > > >> > > > ------- Original Message ------- >> > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >> > > > >> > > > > Hi, >> > > > > >> > > > > what is logged depends on SecAuditLogParts directive in >> > > > > modsecurity.conf. For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > > > azurit >> > > > > >> > > > > Citát O Lányi via mod-security-users >> > > > > mod...@li...: >> > > > > >> > > > > > Hello, >> > > > > > >> > > > > > I'm trying to learn to appreciate modsecurity but everything about >> > > > > > it is frustrating and confusing to me. I thought I'd try reaching >> > > > > > out in hopes someone could help -- this is my last hope before I >> > > > > > give up and turn it off. >> > > > > > >> > > > > > I am using DetectionOnly mode >> > > > > > >> > > > > > What was this put in the audit log? Why are there so many rules >> > > > > > listed? Why can't it just tell me simply what rule triggered the >> > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > > > > > bug? >> > > > > > >> > > > > > --7337282c-A-- >> > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > > > --7337282c-B-- >> > > > > > GET / HTTP/1.0 >> > > > > > >> > > > > > --7337282c-F-- >> > > > > > HTTP/1.1 308 Permanent Redirect >> > > > > > Expect-CT: max-age=604800, enforce, >> > > >> > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > >> > > > > > Referrer-Policy: unsafe-url >> > > > > > Strict-Transport-Security: max-age=31536000; >> > > > > > includeSubDomains; preload >> > > > > > X-Content-Type-Options: nosniff >> > > > > > X-Frame-Options: SAMEORIGIN >> > > > > > X-XSS-Protection: 1; mode=block >> > > > > > Location: https://othersite/ >> > > > > > Content-Length: 428 >> > > > > > Connection: close >> > > > > > Content-Type: text/html; charset=iso-8859-1 >> > > > > > >> > > > > > --7337282c-E-- >> > > > > > >> > > > > > --7337282c-H-- >> > > > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > > > Response-Body-Transformed: Dechunked >> > > > > > Producer: ModSecurity for Apache/2.9.5 >> > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > > > Engine-Mode: "DETECTION_ONLY" >> > > > > > >> > > > > > --7337282c-K-- >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> > > HEAD >> > > >> > > > > POST >> > > > > >> > > > > > OPTIONS'" >> > > > > > >> > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >> |multipart/form-data| >> > > |multipart/related| >> > > >> > > > > |text/xml| >> > > > > >> > > > > > |application/x >> > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| >> > > > > > |application/cloudevents+json| >> |application/cloudevents-batch+json| >> > > > > > |application/octet-stream| |application/csp-report| >> > > > > > |application/xss-auditor-report| |text/plain|'" >> > > > > > >> > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> > > HTTP/1.1 >> > > >> > > > > HTTP/2 >> > > > > >> > > > > > HTTP/2.0'" >> > > > > > >> > > > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >> .cs/ >> > > .csproj/ >> > > >> > > > > .csr/ >> > > > > >> > > > > > .dat >> > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >> .vbs/ .vbproj/ >> > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > > > >> > > > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> > > /lock-token/ >> > > >> > > > > /content-range/ >> > > > > >> > > > > > /if/'" >> > > > > > >> > > > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ >> /.css/ >> > > /.ico/ >> > > >> > > > > /.svg/ >> > > > > >> > > > > > /.webp/'" >> > > > > > >> > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > > > SecRule "REQBODY_PROCESSOR" "!@rx >> (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > > > > > %{MATCHED_VAR_NAME}: >> > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > >> > > > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > > > >> > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > > > %{tx.inbound_anomaly_score_threshold}" >> > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level >> scores: >> > > %{TX.ANOMALY_SCORE_PL1}, >> > > >> > > > > %{TX.ANOMALY_SCORE_PL2}, >> > > > > >> > > > > > %{TX.ANO >> > > > > > MALY_SCORE_PL3}, >> > > >> > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > >> > > > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > > > %{tx.outbound_anomaly_score_threshold}" >> > > > > > >> "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > > > individual paranoia level scores: %{TX.OUTBO >> > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > >> > > > > > --7337282c-Z-- >> > > > > > >> > > > > > Thanks for any help anyone can offer. >> > > > > > >> > > > > > Sent with Proton Mail secure email. >> > > > > >> > > > > _______________________________________________ >> > > > > mod-security-users mailing list >> > > > > mod...@li... >> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > >> > > > _______________________________________________ >> > > > mod-security-users mailing list >> > > > mod...@li... >> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: O L. <ne...@pr...> - 2022-11-10 14:45:15
|
It's already set like that. ------- Original Message ------- On Thursday, November 10th, 2022 at 4:39 AM, <az...@po...> wrote: > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > The response was a 308. 99.999% of 308's are not put in the audit > > log. Why was this specific one put in the audit log? > > > > Sent with Proton Mail secure email. > > > > ------- Original Message ------- > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > This depends on the HTTP status code - logged are all requests with > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > blocked may be logged). For more info, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > azurit > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > to understand why harmless requests are being placed in the audit > > > > log), but why was this particular HTTP request put into the audit > > > > log at all? What was "wrong" with it? > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > ------- Original Message ------- > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > Hi, > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > modsecurity.conf. For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > azurit > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > mod...@li...: > > > > > > > > > > > Hello, > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > give up and turn it off. > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > bug? > > > > > > > > > > > > --7337282c-A-- > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > --7337282c-B-- > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > --7337282c-F-- > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > includeSubDomains; preload > > > > > > X-Content-Type-Options: nosniff > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > X-XSS-Protection: 1; mode=block > > > > > > Location: https://othersite/ > > > > > > Content-Length: 428 > > > > > > Connection: close > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > --7337282c-H-- > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > Response-Body-Transformed: Dechunked > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > --7337282c-K-- > > > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > HEAD > > > > > > > > POST > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| > > > |multipart/related| > > > > > > > > |text/xml| > > > > > > > > > > > |application/x > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > |application/cloudevents+json| |application/cloudevents-batch+json| > > > > > > |application/octet-stream| |application/csp-report| > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > HTTP/1.1 > > > > > > > > HTTP/2 > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ > > > .csproj/ > > > > > > > > .csr/ > > > > > > > > > > > .dat > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > /lock-token/ > > > > > > > > /content-range/ > > > > > > > > > > > /if/'" > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ > > > /.ico/ > > > > > > > > /.svg/ > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > %{MATCHED_VAR_NAME}: > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > %{TX.ANO > > > > > > MALY_SCORE_PL3}, > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-10 10:40:08
|
Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine Citát O Lányi via mod-security-users <mod...@li...>: > The response was a 308. 99.999% of 308's are not put in the audit > log. Why was this specific one put in the audit log? > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Wednesday, November 9th, 2022 at 10:58 AM, <az...@po...> wrote: > > >> This depends on the HTTP status code - logged are all requests with >> status code that matches regexp set in SecAuditLogRelevantStatus >> directive in modsecurity.conf (i.e. also requests that were NOT >> blocked may be logged). For more info, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> >> azurit >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > I understand the logging parts (I turned on additional parts to try >> > to understand why harmless requests are being placed in the audit >> > log), but why was this particular HTTP request put into the audit >> > log at all? What was "wrong" with it? >> > >> > Sent with Proton Mail secure email. >> > >> > ------- Original Message ------- >> > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >> > >> > > Hi, >> > > >> > > what is logged depends on SecAuditLogParts directive in >> > > modsecurity.conf. For more info, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > azurit >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > Hello, >> > > > >> > > > I'm trying to learn to appreciate modsecurity but everything about >> > > > it is frustrating and confusing to me. I thought I'd try reaching >> > > > out in hopes someone could help -- this is my last hope before I >> > > > give up and turn it off. >> > > > >> > > > I am using DetectionOnly mode >> > > > >> > > > What was this put in the audit log? Why are there so many rules >> > > > listed? Why can't it just tell me simply what rule triggered the >> > > > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > > > bug? >> > > > >> > > > --7337282c-A-- >> > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > --7337282c-B-- >> > > > GET / HTTP/1.0 >> > > > >> > > > --7337282c-F-- >> > > > HTTP/1.1 308 Permanent Redirect >> > > > Expect-CT: max-age=604800, enforce, >> > > > >> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > > Referrer-Policy: unsafe-url >> > > > Strict-Transport-Security: max-age=31536000; >> includeSubDomains; preload >> > > > X-Content-Type-Options: nosniff >> > > > X-Frame-Options: SAMEORIGIN >> > > > X-XSS-Protection: 1; mode=block >> > > > Location: https://othersite/ >> > > > Content-Length: 428 >> > > > Connection: close >> > > > Content-Type: text/html; charset=iso-8859-1 >> > > > >> > > > --7337282c-E-- >> > > > >> > > > --7337282c-H-- >> > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > Response-Body-Transformed: Dechunked >> > > > Producer: ModSecurity for Apache/2.9.5 >> > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > Engine-Mode: "DETECTION_ONLY" >> > > > >> > > > --7337282c-K-- >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> HEAD >> > > POST >> > > >> > > > OPTIONS'" >> > > > >> > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| >> |multipart/related| >> > > |text/xml| >> > > >> > > > |application/x >> > > > ml| |application/soap+xml| |application/x-amf| |application/json| >> > > > |application/cloudevents+json| |application/cloudevents-batch+json| >> > > > |application/octet-stream| |application/csp-report| >> > > > |application/xss-auditor-report| |text/plain|'" >> > > > >> > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> HTTP/1.1 >> > > HTTP/2 >> > > >> > > > HTTP/2.0'" >> > > > >> > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ >> .csproj/ >> > > .csr/ >> > > >> > > > .dat >> > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ >> > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > >> > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> /lock-token/ >> > > /content-range/ >> > > >> > > > /if/'" >> > > > >> > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ >> /.ico/ >> > > /.svg/ >> > > >> > > > /.webp/'" >> > > > >> > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > > > %{MATCHED_VAR_NAME}: >> > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > >> > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > >> > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > %{tx.inbound_anomaly_score_threshold}" >> > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: >> %{TX.ANOMALY_SCORE_PL1}, >> > > %{TX.ANOMALY_SCORE_PL2}, >> > > >> > > > %{TX.ANO >> > > > MALY_SCORE_PL3}, >> > > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > >> > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > %{tx.outbound_anomaly_score_threshold}" >> > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > individual paranoia level scores: %{TX.OUTBO >> > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > >> > > > --7337282c-Z-- >> > > > >> > > > Thanks for any help anyone can offer. >> > > > >> > > > Sent with Proton Mail secure email. >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: O L. <ne...@pr...> - 2022-11-09 17:12:12
|
The response was a 308. 99.999% of 308's are not put in the audit log. Why was this specific one put in the audit log? Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, November 9th, 2022 at 10:58 AM, <az...@po...> wrote: > This depends on the HTTP status code - logged are all requests with > status code that matches regexp set in SecAuditLogRelevantStatus > directive in modsecurity.conf (i.e. also requests that were NOT > blocked may be logged). For more info, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > azurit > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > I understand the logging parts (I turned on additional parts to try > > to understand why harmless requests are being placed in the audit > > log), but why was this particular HTTP request put into the audit > > log at all? What was "wrong" with it? > > > > Sent with Proton Mail secure email. > > > > ------- Original Message ------- > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > Hi, > > > > > > what is logged depends on SecAuditLogParts directive in > > > modsecurity.conf. For more info, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > azurit > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > Hello, > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > out in hopes someone could help -- this is my last hope before I > > > > give up and turn it off. > > > > > > > > I am using DetectionOnly mode > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > listed? Why can't it just tell me simply what rule triggered the > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > bug? > > > > > > > > --7337282c-A-- > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > --7337282c-B-- > > > > GET / HTTP/1.0 > > > > > > > > --7337282c-F-- > > > > HTTP/1.1 308 Permanent Redirect > > > > Expect-CT: max-age=604800, enforce, > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > Referrer-Policy: unsafe-url > > > > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > > > > X-Content-Type-Options: nosniff > > > > X-Frame-Options: SAMEORIGIN > > > > X-XSS-Protection: 1; mode=block > > > > Location: https://othersite/ > > > > Content-Length: 428 > > > > Connection: close > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > --7337282c-E-- > > > > > > > > --7337282c-H-- > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > Response-Body-Transformed: Dechunked > > > > Producer: ModSecurity for Apache/2.9.5 > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > --7337282c-K-- > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD > > > POST > > > > > > > OPTIONS'" > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| > > > |text/xml| > > > > > > > |application/x > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > |application/cloudevents+json| |application/cloudevents-batch+json| > > > > |application/octet-stream| |application/csp-report| > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 > > > HTTP/2 > > > > > > > HTTP/2.0'" > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ > > > .csr/ > > > > > > > .dat > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ > > > /content-range/ > > > > > > > /if/'" > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ > > > /.svg/ > > > > > > > /.webp/'" > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > %{MATCHED_VAR_NAME}: > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > %{tx.inbound_anomaly_score_threshold}" > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > %{TX.ANO > > > > MALY_SCORE_PL3}, > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > %{tx.outbound_anomaly_score_threshold}" > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > individual paranoia level scores: %{TX.OUTBO > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > --7337282c-Z-- > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > Sent with Proton Mail secure email. > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-09 16:59:11
|
This depends on the HTTP status code - logged are all requests with status code that matches regexp set in SecAuditLogRelevantStatus directive in modsecurity.conf (i.e. also requests that were NOT blocked may be logged). For more info, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus azurit Citát O Lányi via mod-security-users <mod...@li...>: > I understand the logging parts (I turned on additional parts to try > to understand why harmless requests are being placed in the audit > log), but why was this particular HTTP request put into the audit > log at all? What was "wrong" with it? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Wednesday, November 9th, 2022 at 10:30 AM, <az...@po...> wrote: > > >> Hi, >> >> what is logged depends on SecAuditLogParts directive in >> modsecurity.conf. For more info, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> >> azurit >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > Hello, >> > >> > I'm trying to learn to appreciate modsecurity but everything about >> > it is frustrating and confusing to me. I thought I'd try reaching >> > out in hopes someone could help -- this is my last hope before I >> > give up and turn it off. >> > >> > I am using DetectionOnly mode >> > >> > What was this put in the audit log? Why are there so many rules >> > listed? Why can't it just tell me simply what rule triggered the >> > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > bug? >> > >> > --7337282c-A-- >> > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > (REMOTE_IP) 56866 (MY_IP) 443 >> > --7337282c-B-- >> > GET / HTTP/1.0 >> > >> > --7337282c-F-- >> > HTTP/1.1 308 Permanent Redirect >> > Expect-CT: max-age=604800, enforce, >> > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > Referrer-Policy: unsafe-url >> > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload >> > X-Content-Type-Options: nosniff >> > X-Frame-Options: SAMEORIGIN >> > X-XSS-Protection: 1; mode=block >> > Location: https://othersite/ >> > Content-Length: 428 >> > Connection: close >> > Content-Type: text/html; charset=iso-8859-1 >> > >> > --7337282c-E-- >> > >> > --7337282c-H-- >> > Stopwatch: 1668000670057655 23939 (- - -) >> > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > Response-Body-Transformed: Dechunked >> > Producer: ModSecurity for Apache/2.9.5 >> > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > Engine-Mode: "DETECTION_ONLY" >> > >> > --7337282c-K-- >> > SecAction >> > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > >> > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > >> > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > >> > SecRule "&TX:paranoia_level" "@eq 0" >> > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > >> > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > >> > SecRule "&TX:sampling_percentage" "@eq 0" >> > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > >> > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > >> > SecRule "&TX:error_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > >> > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > >> > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > >> > SecRule "&TX:do_reput_block" "@eq 0" >> > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > >> > SecRule "&TX:reput_block_duration" "@eq 0" >> > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > >> > SecRule "&TX:allowed_methods" "@eq 0" >> > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD >> POST >> > OPTIONS'" >> > >> > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| >> |text/xml| >> > |application/x >> > ml| |application/soap+xml| |application/x-amf| |application/json| >> > |application/cloudevents+json| |application/cloudevents-batch+json| >> > |application/octet-stream| |application/csp-report| >> > |application/xss-auditor-report| |text/plain|'" >> > >> > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > >> > SecRule "&TX:allowed_http_versions" "@eq 0" >> > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 >> HTTP/2 >> > HTTP/2.0'" >> > >> > SecRule "&TX:restricted_extensions" "@eq 0" >> > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ >> .csr/ >> > .dat >> > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ >> > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > >> > SecRule "&TX:restricted_headers" "@eq 0" >> > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ >> /content-range/ >> > /if/'" >> > >> > SecRule "&TX:static_extensions" "@eq 0" >> > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ >> /.svg/ >> > /.webp/'" >> > >> > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > >> > SecAction >> > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > >> > SecAction >> > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > >> > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" >> > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > >> > SecRule "TX:sampling_percentage" "@eq 100" >> > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > >> > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > >> > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > >> > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > >> > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > >> > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > >> > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > 0" >> > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > >> > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > SecRule "&TX:dos_block_timeout" "@eq 0" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > >> > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > %{MATCHED_VAR_NAME}: >> > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > in.{0,50}?\\bApplication\\b" >> > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > >> > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > >> > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > SecRule "&TX:dos_block_timeout" "@eq 0" >> > >> > SecAction >> > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > >> > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > %{tx.inbound_anomaly_score_threshold}" >> > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, >> %{TX.ANOMALY_SCORE_PL2}, >> > %{TX.ANO >> > MALY_SCORE_PL3}, >> > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > >> > SecAction >> > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > >> > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > %{tx.outbound_anomaly_score_threshold}" >> > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > individual paranoia level scores: %{TX.OUTBO >> > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > >> > --7337282c-Z-- >> > >> > Thanks for any help anyone can offer. >> > >> > Sent with Proton Mail secure email. >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: O L. <ne...@pr...> - 2022-11-09 16:39:28
|
I understand the logging parts (I turned on additional parts to try to understand why harmless requests are being placed in the audit log), but why was this particular HTTP request put into the audit log at all? What was "wrong" with it? Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, November 9th, 2022 at 10:30 AM, <az...@po...> wrote: > Hi, > > what is logged depends on SecAuditLogParts directive in > modsecurity.conf. For more info, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > azurit > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > Hello, > > > > I'm trying to learn to appreciate modsecurity but everything about > > it is frustrating and confusing to me. I thought I'd try reaching > > out in hopes someone could help -- this is my last hope before I > > give up and turn it off. > > > > I am using DetectionOnly mode > > > > What was this put in the audit log? Why are there so many rules > > listed? Why can't it just tell me simply what rule triggered the > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > bug? > > > > --7337282c-A-- > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > (REMOTE_IP) 56866 (MY_IP) 443 > > --7337282c-B-- > > GET / HTTP/1.0 > > > > --7337282c-F-- > > HTTP/1.1 308 Permanent Redirect > > Expect-CT: max-age=604800, enforce, > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > Referrer-Policy: unsafe-url > > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > > X-Content-Type-Options: nosniff > > X-Frame-Options: SAMEORIGIN > > X-XSS-Protection: 1; mode=block > > Location: https://othersite/ > > Content-Length: 428 > > Connection: close > > Content-Type: text/html; charset=iso-8859-1 > > > > --7337282c-E-- > > > > --7337282c-H-- > > Stopwatch: 1668000670057655 23939 (- - -) > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.9.5 > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > Engine-Mode: "DETECTION_ONLY" > > > > --7337282c-K-- > > SecAction > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > SecRule "&TX:paranoia_level" "@eq 0" > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > SecRule "&TX:do_reput_block" "@eq 0" > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > SecRule "&TX:allowed_methods" "@eq 0" > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST > > OPTIONS'" > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| > > |application/x > > ml| |application/soap+xml| |application/x-amf| |application/json| > > |application/cloudevents+json| |application/cloudevents-batch+json| > > |application/octet-stream| |application/csp-report| > > |application/xss-auditor-report| |text/plain|'" > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 > > HTTP/2.0'" > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ > > .dat > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > SecRule "&TX:restricted_headers" "@eq 0" > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ > > /if/'" > > > > SecRule "&TX:static_extensions" "@eq 0" > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ > > /.webp/'" > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > SecAction > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > SecAction > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > SecRule "TX:sampling_percentage" "@eq 100" > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > "@eq 0" > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > "@eq 0" > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > "@eq 0" > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > 0" > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > %{MATCHED_VAR_NAME}: > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > in.{0,50}?\\bApplication\\b" > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > SecAction > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > %{tx.inbound_anomaly_score_threshold}" > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, > > %{TX.ANO > > MALY_SCORE_PL3}, > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > SecAction > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > %{tx.outbound_anomaly_score_threshold}" > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > individual paranoia level scores: %{TX.OUTBO > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > --7337282c-Z-- > > > > Thanks for any help anyone can offer. > > > > Sent with Proton Mail secure email. > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-09 16:30:48
|
Hi, what is logged depends on SecAuditLogParts directive in modsecurity.conf. For more info, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts azurit Citát O Lányi via mod-security-users <mod...@li...>: > Hello, > > I'm trying to learn to appreciate modsecurity but everything about > it is frustrating and confusing to me. I thought I'd try reaching > out in hopes someone could help -- this is my last hope before I > give up and turn it off. > > I am using DetectionOnly mode > > What was this put in the audit log? Why are there so many rules > listed? Why can't it just tell me simply what rule triggered the > inclusion in the log, rather than 75 lines of gibberish? Is this a > bug? > > --7337282c-A-- > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > (REMOTE_IP) 56866 (MY_IP) 443 > --7337282c-B-- > GET / HTTP/1.0 > > --7337282c-F-- > HTTP/1.1 308 Permanent Redirect > Expect-CT: max-age=604800, enforce, > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > Referrer-Policy: unsafe-url > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Location: https://othersite/ > Content-Length: 428 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --7337282c-E-- > > --7337282c-H-- > Stopwatch: 1668000670057655 23939 (- - -) > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.9.5 > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > Engine-Mode: "DETECTION_ONLY" > > --7337282c-K-- > SecAction > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > SecRule "&TX:paranoia_level" "@eq 0" > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > SecRule "&TX:executing_paranoia_level" "@eq 0" > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > SecRule "&TX:sampling_percentage" "@eq 0" > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > SecRule "&TX:critical_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > SecRule "&TX:error_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > SecRule "&TX:warning_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > SecRule "&TX:notice_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > SecRule "&TX:do_reput_block" "@eq 0" > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > SecRule "&TX:reput_block_duration" "@eq 0" > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > SecRule "&TX:allowed_methods" "@eq 0" > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST > OPTIONS'" > > SecRule "&TX:allowed_request_content_type" "@eq 0" > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| > |application/x > ml| |application/soap+xml| |application/x-amf| |application/json| > |application/cloudevents+json| |application/cloudevents-batch+json| > |application/octet-stream| |application/csp-report| > |application/xss-auditor-report| |text/plain|'" > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > SecRule "&TX:allowed_http_versions" "@eq 0" > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 > HTTP/2.0'" > > SecRule "&TX:restricted_extensions" "@eq 0" > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ > .dat > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > SecRule "&TX:restricted_headers" "@eq 0" > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ > /if/'" > > SecRule "&TX:static_extensions" "@eq 0" > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ > /.webp/'" > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > SecAction > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > SecAction > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > SecRule "TX:sampling_percentage" "@eq 100" > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > "@eq 0" > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > "@eq 0" > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > "@eq 0" > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > 0" > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > SecRule "&TX:dos_block_timeout" "@eq 0" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > Information Leakage',logdata:'Matched Data: %{TX.0} found within > %{MATCHED_VAR_NAME}: > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > in.{0,50}?\\bApplication\\b" > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > SecRule "&TX:dos_block_timeout" "@eq 0" > > SecAction > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > %{tx.inbound_anomaly_score_threshold}" > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, > %{TX.ANO > MALY_SCORE_PL3}, > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > SecAction > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > %{tx.outbound_anomaly_score_threshold}" > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > individual paranoia level scores: %{TX.OUTBO > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > --7337282c-Z-- > > Thanks for any help anyone can offer. > > Sent with [Proton Mail](https://proton.me/) secure email. |
|
From: O L. <ne...@pr...> - 2022-11-09 16:23:54
|
Hello, I'm trying to learn to appreciate modsecurity but everything about it is frustrating and confusing to me. I thought I'd try reaching out in hopes someone could help -- this is my last hope before I give up and turn it off. I am using DetectionOnly mode What was this put in the audit log? Why are there so many rules listed? Why can't it just tell me simply what rule triggered the inclusion in the log, rather than 75 lines of gibberish? Is this a bug? --7337282c-A-- [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc (REMOTE_IP) 56866 (MY_IP) 443 --7337282c-B-- GET / HTTP/1.0 --7337282c-F-- HTTP/1.1 308 Permanent Redirect Expect-CT: max-age=604800, enforce, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Referrer-Policy: unsafe-url Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Location: https://othersite/ Content-Length: 428 Connection: close Content-Type: text/html; charset=iso-8859-1 --7337282c-E-- --7337282c-H-- Stopwatch: 1668000670057655 23939 (- - -) Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2. Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 Engine-Mode: "DETECTION_ONLY" --7337282c-K-- SecAction "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" SecRule "&TX:paranoia_level" "@eq 0" "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" SecRule "&TX:executing_paranoia_level" "@eq 0" "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" SecRule "&TX:sampling_percentage" "@eq 0" "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" SecRule "&TX:critical_anomaly_score" "@eq 0" "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" SecRule "&TX:error_anomaly_score" "@eq 0" "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" SecRule "&TX:warning_anomaly_score" "@eq 0" "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" SecRule "&TX:notice_anomaly_score" "@eq 0" "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" SecRule "&TX:do_reput_block" "@eq 0" "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" SecRule "&TX:reput_block_duration" "@eq 0" "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" SecRule "&TX:allowed_methods" "@eq 0" "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" SecRule "&TX:allowed_request_content_type" "@eq 0" "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/x ml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" SecRule "&TX:allowed_request_content_type_charset" "@eq 0" "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" SecRule "&TX:allowed_http_versions" "@eq 0" "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" SecRule "&TX:restricted_extensions" "@eq 0" "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" SecRule "&TX:restricted_headers" "@eq 0" "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'" SecRule "&TX:static_extensions" "@eq 0" "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" SecAction "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" SecAction "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" SecRule "TX:sampling_percentage" "@eq 100" "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" "@eq 0" "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" "@eq 0" "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" "@eq 0" "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq 0" "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" SecRule "&TX:dos_block_timeout" "@eq 0" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" SecRule "RESPONSE_STATUS" "!@rx ^404$" "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" #SecRule "RESPONSE_BODY" "@rx \\bServer Error in.{0,50}?\\bApplication\\b" "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule "TX:PARANOIA_LEVEL" "@ge 1" "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" SecRule "&TX:dos_block_timeout" "@eq 0" SecAction "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt %{tx.inbound_anomaly_score_threshold}" "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANO MALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" SecAction "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt %{tx.outbound_anomaly_score_threshold}" "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBO UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" --7337282c-Z-- Thanks for any help anyone can offer. Sent with [Proton Mail](https://proton.me/) secure email. |
|
From: Christian F. <chr...@ne...> - 2022-10-20 13:49:51
|
Ah, sweet. Had forgotten about this. Thanks azurit! On Thu, Oct 20, 2022 at 03:27:22PM +0200, az...@po... wrote: > Hi! > > > One idea I’m toying with is creating an interstitial page similar to > > Cloudflare’s “Checking your browser..” page. For ASNs which are > > problematic it would be a bit safer to force someone to perform a > > hCaptcha or something check before they can get through to the intended > > site and set a cookie. I think this might be possible but a little bit > > difficult to create entirely using mod_security though, so I’m thinking > > about writing a new (and relatively simple) Apache module. I’d love to > > hear if someone has already done this! > > > My ModSecurity reCAPTCHA library may help you with this, check it out (needs > Lua support in ModSec): > https://github.com/azurit/modsecurity-recaptcha > > > azurit > > > > > > > Joel > > > > > On 19 Oct 2022, at 12:04 am, Christian Folini > > > <chr...@ne...> wrote: > > > > > > Hi there, > > > > > > During the years, I have found the use of GeoIP (& ASN) information in > > > #ModSecurity / @CoreRuleSet very useful. Yet very few people do > > > this for GeoIP and practically nobody for ASN. > > > > > > It really helps to weed out false positives or defend in case of certain > > > persistent attacks. > > > > > > Since good documentation on the subject is scare, here is how to get this > > > into your setup: > > > > > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also > > > covered in my 2nd webcast last week: > > > https://www.youtube.com/watch?v=OBVwdqEFmX0) > > > > > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus some > > > additional interesting stuff): > > > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > > > > > Best, > > > > > > Christian > > > > > > > > > -- > > > Ultimately, motivation gets us started, > > > but discipline and habit are what enable us to finish. > > > -- Matthew Helmke > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-10-20 13:45:20
|
Hi! > One idea I’m toying with is creating an interstitial page similar to > Cloudflare’s “Checking your browser..” page. For ASNs which are > problematic it would be a bit safer to force someone to perform a > hCaptcha or something check before they can get through to the > intended site and set a cookie. I think this might be possible but a > little bit difficult to create entirely using mod_security though, > so I’m thinking about writing a new (and relatively simple) Apache > module. I’d love to hear if someone has already done this! My ModSecurity reCAPTCHA library may help you with this, check it out (needs Lua support in ModSec): https://github.com/azurit/modsecurity-recaptcha azurit > > Joel > >> On 19 Oct 2022, at 12:04 am, Christian Folini >> <chr...@ne...> wrote: >> >> Hi there, >> >> During the years, I have found the use of GeoIP (& ASN) information in >> #ModSecurity / @CoreRuleSet very useful. Yet very few people do >> this for GeoIP and practically nobody for ASN. >> >> It really helps to weed out false positives or defend in case of certain >> persistent attacks. >> >> Since good documentation on the subject is scare, here is how to get this >> into your setup: >> >> https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: >> https://www.youtube.com/watch?v=OBVwdqEFmX0) >> >> I have also covered this in my 2nd ModSec / CRS webcast last week (plus some >> additional interesting stuff): >> https://www.youtube.com/watch?v=OBVwdqEFmX0 >> >> Best, >> >> Christian >> >> >> -- >> Ultimately, motivation gets us started, >> but discipline and habit are what enable us to finish. >> -- Matthew Helmke >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2022-10-19 07:25:25
|
Hey Joel, On Wed, Oct 19, 2022 at 11:50:45AM +1030, Joel Williams wrote: > Thanks Christian! I enjoyed the article. Thank you very much. One gets very little feedback for technical blog posts. So this is very much appreciated. > I agree that ASN is underrated - I get a lot of scans from well-known and > generally reputable cloud providers which operate in multiple countries, and > blocking these providers seems like a much safer way to avoid false > positives than doing it by country. However there is still a risk that > people are using personal VPSes to run proxies or have good reasons to use > services like Tor. While this is probably not a very significant proportion > of people I’m reluctant to block access to customer sites outright with no > recourse for these users. On the other hand, blocking access by these ASNs > to specific resources like the WordPress wp-login.php page would probably be > OK. I do not block by ASN and I do not recommend doing it. Yet I skip some of them when doing false positive analysis. Meaning, it's OK to use DigitalOcean as your personal VPN provider, but when you hit a false positive on my website, chances are I won't react to it without a call. Maybe I'll follow up with a blog post on mean anomaly scores per ASN on the netnea website. It's staggering how 2-3 ASNs are really topping. Mean incoming anomaly score across the entire log: 0.13 US ASN 53667: PONYNET: Mean anomaly score of 3! What is also interesting - but bumps into the same TOR / VPN problem - is to check User-Agents against ASNs. So you're pretending to be a Mozilla (=any Browser), yet you live on a server ASN ... > One idea I’m toying with is creating an interstitial page similar to > Cloudflare’s “Checking your browser..” page. For ASNs which are problematic > it would be a bit safer to force someone to perform a hCaptcha or something > check before they can get through to the intended site and set a cookie. I > think this might be possible but a little bit difficult to create entirely > using mod_security though, so I’m thinking about writing a new (and > relatively simple) Apache module. I’d love to hear if someone has already > done this! Ah, the sweet promises of anti-automation. :) I'm sure this has been done, but I have not seen a public description how to pull it off with open source tools. Yet I do not think it would be very complicated with ModSec. Pseudo-Code: * ModSec Rule: if suspicious ASN and no cookie: redirect to Captcha * Captcha Page: if successful captcha: set cookie Suspicious ASNs in separate file (-> @pmFromFile). I guess that's all. Now that I think about it, it sounds as if it would make for a lovely blog post. This presentation here as more ideas that could be harvested and implemented in ModSecurity: https://www.youtube.com/watch?v=XKkyvO2rQ-E (Don't let the title fool you, a lot of it is about anti-automation. And it's a great talk btw) All together this could make an interesting anti-automation CRS plugin. Best! Christian > > Joel > > > On 19 Oct 2022, at 12:04 am, Christian Folini > > <chr...@ne...> wrote: > > > > Hi there, > > > > During the years, I have found the use of GeoIP (& ASN) information in > > #ModSecurity / @CoreRuleSet very useful. Yet very few people do this for > > GeoIP and practically nobody for ASN. > > > > It really helps to weed out false positives or defend in case of certain > > persistent attacks. > > > > Since good documentation on the subject is scare, here is how to get this > > into your setup: > > > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also > > covered in my 2nd webcast last week: > > https://www.youtube.com/watch?v=OBVwdqEFmX0) > > > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus > > some additional interesting stuff): > > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > > > Best, > > > > Christian > > > > > > -- Ultimately, motivation gets us started, but discipline and habit are > > what enable us to finish. -- Matthew Helmke > > > > > > _______________________________________________ mod-security-users mailing > > list mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > > ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ mod-security-users mailing > list mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Joel W. <jo...@jo...> - 2022-10-19 01:38:02
|
Thanks Christian! I enjoyed the article. I agree that ASN is underrated - I get a lot of scans from well-known and generally reputable cloud providers which operate in multiple countries, and blocking these providers seems like a much safer way to avoid false positives than doing it by country. However there is still a risk that people are using personal VPSes to run proxies or have good reasons to use services like Tor. While this is probably not a very significant proportion of people I’m reluctant to block access to customer sites outright with no recourse for these users. On the other hand, blocking access by these ASNs to specific resources like the WordPress wp-login.php page would probably be OK. One idea I’m toying with is creating an interstitial page similar to Cloudflare’s “Checking your browser..” page. For ASNs which are problematic it would be a bit safer to force someone to perform a hCaptcha or something check before they can get through to the intended site and set a cookie. I think this might be possible but a little bit difficult to create entirely using mod_security though, so I’m thinking about writing a new (and relatively simple) Apache module. I’d love to hear if someone has already done this! Joel > On 19 Oct 2022, at 12:04 am, Christian Folini <chr...@ne...> wrote: > > Hi there, > > During the years, I have found the use of GeoIP (& ASN) information in > #ModSecurity / @CoreRuleSet very useful. Yet very few people do > this for GeoIP and practically nobody for ASN. > > It really helps to weed out false positives or defend in case of certain > persistent attacks. > > Since good documentation on the subject is scare, here is how to get this > into your setup: > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: https://www.youtube.com/watch?v=OBVwdqEFmX0) > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus some > additional interesting stuff): > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > Best, > > Christian > > > -- > Ultimately, motivation gets us started, > but discipline and habit are what enable us to finish. > -- Matthew Helmke > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2022-10-18 13:34:38
|
Hi there, During the years, I have found the use of GeoIP (& ASN) information in #ModSecurity / @CoreRuleSet very useful. Yet very few people do this for GeoIP and practically nobody for ASN. It really helps to weed out false positives or defend in case of certain persistent attacks. Since good documentation on the subject is scare, here is how to get this into your setup: https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: https://www.youtube.com/watch?v=OBVwdqEFmX0) I have also covered this in my 2nd ModSec / CRS webcast last week (plus some additional interesting stuff): https://www.youtube.com/watch?v=OBVwdqEFmX0 Best, Christian -- Ultimately, motivation gets us started, but discipline and habit are what enable us to finish. -- Matthew Helmke |
|
From: Ervin H. <ai...@gm...> - 2022-09-27 13:58:50
|
Hi Peter, On Tue, Sep 27, 2022 at 03:38:20PM +0200, lo...@kr... wrote: > Thank you for your fast reply. yw, > > * which version can I upload (3.3.0 + patch OR 3.3.3, which > > mentioned in CVE as fixed version, OR the 3.3.4) into Debian > > * which version is the stable (3.3.4, or may be CRS will release > > a new one soon, 3.3.5) > > > > Who will have to decide? CRS-Team or debian? 1st: Debian 2nd: CRS team > Given the fact that this has been out for almost a week now, and Christian's and Walter's messages concerning the ModSecurity release, can this be sped up? I'm really sorry, I had written an e-mail to Debian Release team *before* the new CRS and ModSec versions has released, but got the answer only last week. ModSecurity patches are done (see Debian's Salsa), but still couldn't uploaded them. I ask them again, and try to urge it. > > Btw if you want to use the last version of CRS, you can use > > Digitalwave's repository: > > > > https://modsecurity.digitalwave.hu/ > > > > I'm aware of this, however the binaries are only amd64 and I'm running part of my infrastructure on Mac M1. oh, I see, sorry - and thanks for info. > This should work for CRS, though! yes, CRS would work, > Thanks for the reminder. yw, a. |
|
From: <lo...@kr...> - 2022-09-27 13:38:36
|
Ervin, Thank you for your fast reply. > Am 27.09.2022 um 15:03 schrieb Ervin Hegedüs <ai...@gm...>: > > > On Tue, Sep 27, 2022 at 09:54:32AM +0200, Peter Kreuser wrote: >> Hi, >> >> May I ask why Debian rates them as >> >> "[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)" >> >> see for example https://security-tracker.debian.org/tracker/CVE-2022-39958 >> >> No updates so far available.... @Ervin Hegedues??? > > Unfortunatelly I can't answer for this question. > > I'm waiting for two things before I upload the new package: > > * which version can I upload (3.3.0 + patch OR 3.3.3, which > mentioned in CVE as fixed version, OR the 3.3.4) into Debian > * which version is the stable (3.3.4, or may be CRS will release > a new one soon, 3.3.5) > Who will have to decide? CRS-Team or debian? Given the fact that this has been out for almost a week now, and Christian's and Walter's messages concerning the ModSecurity release, can this be sped up? > Btw if you want to use the last version of CRS, you can use > Digitalwave's repository: > > https://modsecurity.digitalwave.hu/ > > I'm aware of this, however the binaries are only amd64 and I'm running part of my infrastructure on Mac M1. This should work for CRS, though! Thanks for the reminder. Peter > > a. > > > ps: I will let you know (on this list), if I can upload the new > packages to Debian mirrors. > > >>> Am 21.09.2022 um 07:59 schrieb Christian Folini <chr...@ne...>: >>> >>> Dear all, >>> >>> Following ModSecurity's security releases earlier this month, we have followed >>> suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well. >>> >>> https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ >>> >>> (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and >>> 3.2.3 immediately. Details in the blog.) >>> >>> These two updates cover for several partial rule set bypasses: >>> >>> CVE-2022-39955 – Multiple charsets defined in Content-Type header >>> CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse >>> CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass >>> CVE-2022-39958 – Small range header leading to response rule set bypass >>> >>> Outside of these CVE-worthy fixes, there are a handful of security fixes that >>> are of slightly lower severity. >>> >>> Please be aware that the fix to CVE-2022-39956 depends on the update of >>> ModSecurity to the versions 2.9.6 or 3.0.8. >>> >>> Best regards, >>> >>> Christian Folini, OWASP ModSecurity Core Rule Set co-lead >>> >>> >>> -- >>> Ultimately, motivation gets us started, >>> but discipline and habit are what enable us to finish. >>> -- Matthew Helmke >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ > > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Ervin H. <ai...@gm...> - 2022-09-27 13:03:35
|
On Tue, Sep 27, 2022 at 09:54:32AM +0200, Peter Kreuser wrote: > Hi, > > May I ask why Debian rates them as > > "[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)" > > see for example https://security-tracker.debian.org/tracker/CVE-2022-39958 > > No updates so far available.... @Ervin Hegedues??? Unfortunatelly I can't answer for this question. I'm waiting for two things before I upload the new package: * which version can I upload (3.3.0 + patch OR 3.3.3, which mentioned in CVE as fixed version, OR the 3.3.4) into Debian * which version is the stable (3.3.4, or may be CRS will release a new one soon, 3.3.5) Btw if you want to use the last version of CRS, you can use Digitalwave's repository: https://modsecurity.digitalwave.hu/ a. ps: I will let you know (on this list), if I can upload the new packages to Debian mirrors. > > Am 21.09.2022 um 07:59 schrieb Christian Folini <chr...@ne...>: > > > > Dear all, > > > > Following ModSecurity's security releases earlier this month, we have followed > > suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well. > > > > https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ > > > > (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and > > 3.2.3 immediately. Details in the blog.) > > > > These two updates cover for several partial rule set bypasses: > > > > CVE-2022-39955 – Multiple charsets defined in Content-Type header > > CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse > > CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass > > CVE-2022-39958 – Small range header leading to response rule set bypass > > > > Outside of these CVE-worthy fixes, there are a handful of security fixes that > > are of slightly lower severity. > > > > Please be aware that the fix to CVE-2022-39956 depends on the update of > > ModSecurity to the versions 2.9.6 or 3.0.8. > > > > Best regards, > > > > Christian Folini, OWASP ModSecurity Core Rule Set co-lead > > > > > > -- > > Ultimately, motivation gets us started, > > but discipline and habit are what enable us to finish. > > -- Matthew Helmke > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Peter K. <lo...@kr...> - 2022-09-27 08:10:05
|
Hi, May I ask why Debian rates them as "[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)" see for example https://security-tracker.debian.org/tracker/CVE-2022-39958 No updates so far available.... @Ervin Hegedues??? Best regards Peter > Am 21.09.2022 um 07:59 schrieb Christian Folini <chr...@ne...>: > > Dear all, > > Following ModSecurity's security releases earlier this month, we have followed > suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well. > > https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ > > (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and > 3.2.3 immediately. Details in the blog.) > > These two updates cover for several partial rule set bypasses: > > CVE-2022-39955 – Multiple charsets defined in Content-Type header > CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse > CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass > CVE-2022-39958 – Small range header leading to response rule set bypass > > Outside of these CVE-worthy fixes, there are a handful of security fixes that > are of slightly lower severity. > > Please be aware that the fix to CVE-2022-39956 depends on the update of > ModSecurity to the versions 2.9.6 or 3.0.8. > > Best regards, > > Christian Folini, OWASP ModSecurity Core Rule Set co-lead > > > -- > Ultimately, motivation gets us started, > but discipline and habit are what enable us to finish. > -- Matthew Helmke > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2022-09-21 05:59:00
|
Dear all, Following ModSecurity's security releases earlier this month, we have followed suite and updated the stable CRS v3.2 and CRS v3.3 release branches as well. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ (Unfortunately, we also released a bug, so we had to followup with 3.3.4 and 3.2.3 immediately. Details in the blog.) These two updates cover for several partial rule set bypasses: CVE-2022-39955 – Multiple charsets defined in Content-Type header CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header abuse CVE-2022-39957 – Charset accept header field resulting in resp rule set bypass CVE-2022-39958 – Small range header leading to response rule set bypass Outside of these CVE-worthy fixes, there are a handful of security fixes that are of slightly lower severity. Please be aware that the fix to CVE-2022-39956 depends on the update of ModSecurity to the versions 2.9.6 or 3.0.8. Best regards, Christian Folini, OWASP ModSecurity Core Rule Set co-lead -- Ultimately, motivation gets us started, but discipline and habit are what enable us to finish. -- Matthew Helmke |
|
From: Christian F. <chr...@ne...> - 2022-09-09 08:27:54
|
On Fri, Sep 09, 2022 at 10:17:45AM +0200, Christian Folini wrote: > OWASP CRS will also issue a security update to the 3.2.x and v3.2.x release -> 3.2.x and v3.3.x release lines apparently. Sorry. Christian -- I have always observed that to succeed in the world one should appear like a fool but be wise. -- Charles de Montesquieu |
|
From: Christian F. <chr...@ne...> - 2022-09-09 08:18:01
|
Dear all, Trustwave Spiderlabs has released ModSecurity 2.9.6 and ModSecurity / libModSecurity 3.0.8. https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-versions-308-and-296/ They did not announce this in this mailinglist, though, and they also confirmed they have no intention to do so. Reading through the release notes does not really make it clear this is a security release. Being familiar with all the weaknesses in question, I assure you this is grave. Please update your servers. Please note that the modsecurity recommended rules that pick the request body processor will also have to be updated. A very convenient change in this release is that single quotes in double-quoted multipart file upload filenames will no longer trigger a body processor error. French and Italian users will welcome this in particular. The OWASP ModSecurity Core Rule Set team has made sure these changes make it into the stable Debian release and will be picked up by other distributions from there. (This is fairly political since distros tend to refuse updates unless there is a CVE involved.) OWASP CRS will also issue a security update to the 3.2.x and v3.2.x release line to complement the changes in the engine. We tried to be really fast after the ModSecurity release but being late is better than a broken release and we are still testing. Expect these releases next week. I am running a ModSecurity / CRS webcast next Tuesday, 2pm CET. You can sign up here: https://www.meetup.com/meetup-group-ungjkskv/events/287901911/ I will cover (some of) the weaknesses in this ModSecurity update in this first edition of this new format. Tune in when you want to understand what this is all about. Best regards, Christian -- No one is born hating another person because of the colour of his skin, or his background, or his religion. People must learn to hate, and if they can learn to hate, they can be taught to love, for love comes more naturally to the human heart than its opposite. -- Nelson Mandela |
|
From: Ervin H. <ai...@gm...> - 2022-06-15 12:38:42
|
Hi Homesh, On Wed, Jun 15, 2022 at 03:51:05PM +0530, homesh joshi wrote: > Thanks Azurit. I wanted to push that value into the custom logs i am > creating. But it is ok as generally no one changes the mode very frequent. may be it helps: audit.log H section contains this information, eg: --e3f74c6b-H-- Message: ... ... Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2. Server: Apache/2.4.38 (Debian) Engine-Mode: "ENABLED" a. |
|
From: homesh j. <ho...@gm...> - 2022-06-15 10:21:26
|
Thanks Azurit. I wanted to push that value into the custom logs i am creating. But it is ok as generally no one changes the mode very frequent. On Wed, 15 Jun, 2022, 3:42 pm , <az...@po...> wrote: > Hi Homesh, > > unfortunately, this isn't accessible via any variable. > > azurit > > > > > Citát homesh joshi <ho...@gm...>: > > > Hi All, > > > > I wanted to know the variable name which holds modesecurity mode > > > > "engine_mode":"ENABLED" that I see in the audit logs but not sure what > is > > the exact name of a variable. > > > > Thanks, > > Homesh > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: <az...@po...> - 2022-06-15 10:08:34
|
Hi Homesh, unfortunately, this isn't accessible via any variable. azurit Citát homesh joshi <ho...@gm...>: > Hi All, > > I wanted to know the variable name which holds modesecurity mode > > "engine_mode":"ENABLED" that I see in the audit logs but not sure what is > the exact name of a variable. > > Thanks, > Homesh |
139 messages has been excluded from this view by a project administrator.
