Thread: [mod-security-users] nolog rule still logs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Bren <umu...@pr...> - 2021-04-03 17:39:03
|
Hello, I've been working to roll out ModSecurity on Nginx (OpenResty 1.19.3.1 / nginx-1.19.3). I compiled the Nginx connector against the Debian 10 version of libmodsecurity (v3.0.3, but this happens when using v3/master as well). Using the stock unmodified modsecurity.conf-recommended. I added this line for haproxy health checks: SecRule REQUEST_FILENAME "/waf_health_check" "id:1000,nolog,deny" Even with nolog this rule still logs to the audit log and the Nginx error log. I've tried every combo of options I could find to get this to stop logging but for some reason it still gets logged. As far as I can tell from the docs, nolog should prevent this rule match from appearing in any logs. I shouldn't need anything else but this. What am I missing? Bren |
|
From: Ehsan M. <ehs...@gm...> - 2021-04-04 04:35:45
|
Hi try "id:1000,nolog,noauditlog,deny" On Sat, Apr 3, 2021 at 10:12 PM Bren via mod-security-users < mod...@li...> wrote: > Hello, > > I've been working to roll out ModSecurity on Nginx (OpenResty 1.19.3.1 / > nginx-1.19.3). I compiled the Nginx connector against the Debian 10 version > of libmodsecurity (v3.0.3, but this happens when using v3/master as well). > > Using the stock unmodified modsecurity.conf-recommended. I added this line > for haproxy health checks: > > SecRule REQUEST_FILENAME "/waf_health_check" "id:1000,nolog,deny" > > Even with nolog this rule still logs to the audit log and the Nginx error > log. I've tried every combo of options I could find to get this to stop > logging but for some reason it still gets logged. > > As far as I can tell from the docs, nolog should prevent this rule match > from appearing in any logs. I shouldn't need anything else but this. What > am I missing? > > Bren > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan.Mahdavi PhD candidated for Computer Engineering by Isfahan University of Technology http://emahdavi.ece.iut.ac.ir/ |
|
From: Bren <umu...@pr...> - 2021-04-04 22:03:16
|
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, April 3rd, 2021 at 11:35 PM, Ehsan Mahdavi <ehs...@gm...> wrote: > try "id:1000,nolog,noauditlog,deny" I tried that and: id:1000,nolog,noauditlog,ctl:auditEngine=Off,deny >From this ticket: https://github.com/SpiderLabs/ModSecurity/issues/1217 And still this rule match gets logged. According to the documentation nolog should be enough (unless I'm misunderstanding) so I am not sure what's going on. The full conf is: # The stock recommended conf Include /etc/openresty/modsecurity/modsecurity.conf SecRule REQUEST_FILENAME "/waf_health_check" "id:1000,nolog,deny" This is what's getting logged: ---XlVYmBXD---A-- [04/Apr/2021:12:40:35 -0400] 161755443589.343274 127.0.0.1 4502 127.0.0.1 8504 ---XlVYmBXD---B-- HEAD /waf_health_check HTTP/1.0 content-length: 0 ---XlVYmBXD---D-- ---XlVYmBXD---F-- HTTP/1.0 403 ---XlVYmBXD---H-- ---XlVYmBXD---I-- ---XlVYmBXD---J-- ---XlVYmBXD---Z-- This is the only thing I've tried so far that stops this line from getting logged: SecAuditLogRelevantStatus "^(?:5|4(?!04|03))" But I want other 403s to be logged of course. |
|
From: Christian F. <chr...@ne...> - 2021-04-06 07:28:25
|
Hi Bren, This is all a bit complicated. Yet there is a chance this is logged in the audit log because the status is 403. That does not really explain the error log though. What engine version and which connector are you using? Best, Christian On Sat, Apr 03, 2021 at 05:38:27PM +0000, Bren via mod-security-users wrote: > Hello, > > I've been working to roll out ModSecurity on Nginx (OpenResty 1.19.3.1 / nginx-1.19.3). I compiled the Nginx connector against the Debian 10 version of libmodsecurity (v3.0.3, but this happens when using v3/master as well). > > Using the stock unmodified modsecurity.conf-recommended. I added this line for haproxy health checks: > > SecRule REQUEST_FILENAME "/waf_health_check" "id:1000,nolog,deny" > > Even with nolog this rule still logs to the audit log and the Nginx error log. I've tried every combo of options I could find to get this to stop logging but for some reason it still gets logged. > > As far as I can tell from the docs, nolog should prevent this rule match from appearing in any logs. I shouldn't need anything else but this. What am I missing? > > Bren > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Bren <umu...@pr...> - 2021-04-06 07:36:20
|
Hi Christian, ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, April 6th, 2021 at 2:22 AM, Christian Folini <chr...@ne...> wrote: > What engine version and which connector are you using? ModSecurity v3/master ModSecurity-nginx master Bren |
|
From: Bren <umu...@pr...> - 2021-04-06 07:40:47
|
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, April 6th, 2021 at 2:34 AM, Ehsan Mahdavi <ehs...@gm...> wrote: > Sometimes adding a proper phase directive like phase:1 or phase:2 would solve the problem. That did not help unfortunately. Bren |
|
From: Bren <umu...@pr...> - 2021-04-06 19:25:18
|
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, April 3rd, 2021 at 12:38 PM, Bren via mod-security-users <mod...@li...> wrote: > Even with nolog this rule still logs to the audit log and the Nginx error log. So I think I know what's going on. This rule isn't actually being logged despite "nolog". I think it's the 403 itself that's being logged due to the default: SecAuditLogRelevantStatus "^(?:5|4(?!04))" If I set it to: SecAuditLogRelevantStatus "^(?:5|4(?!04|03))" It stops logging the 403s being generated by my health check rule. The comment on this rule says: "Log the transactions that are marked by a rule, as well as those that trigger a server error..." So I think this is working as designed since my rule is triggering a server error. If I set my rule to "log" it still logs the rule match as expected showing the 403 response. OWASP CRS rule matches still get logged as well so I think this change will work for me. Bren |
|
From: Christian F. <chr...@ne...> - 2021-04-06 19:39:02
|
Hey Bren, This is what I mentioned in my message. Maybe I did not make myself very clear. However, this only accounts for the audit log and you said you also got error-log messages and I could not explain those. Best, Christian On Tue, Apr 06, 2021 at 07:24:49PM +0000, Bren via mod-security-users wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Saturday, April 3rd, 2021 at 12:38 PM, Bren via mod-security-users <mod...@li...> wrote: > > > Even with nolog this rule still logs to the audit log and the Nginx error log. > > So I think I know what's going on. This rule isn't actually being logged despite "nolog". I think it's the 403 itself that's being logged due to the default: > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > If I set it to: > > SecAuditLogRelevantStatus "^(?:5|4(?!04|03))" > > It stops logging the 403s being generated by my health check rule. The comment on this rule says: > > "Log the transactions that are marked by a rule, as well as those that trigger a server error..." > > So I think this is working as designed since my rule is triggering a server error. > > If I set my rule to "log" it still logs the rule match as expected showing the 403 response. OWASP CRS rule matches still get logged as well so I think this change will work for me. > > Bren > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Bren <umu...@pr...> - 2021-04-06 19:57:48
|
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, April 6th, 2021 at 2:38 PM, Christian Folini <chr...@ne...> wrote: > However, this only accounts for the audit log and you said you also got error-log messages and I could not explain those. Hmm yeah, I enabled the error log again and those 403s are still being logged there: nginx: 2021/04/06 15:46:06 [error] 17236#17236: *3835 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Rx' with parameter `/waf_health_check' against variable `REQUEST_FILENAME' (Value: `/waf_health_check' ) [file "/etc/openresty/modsecurity/exclusions.conf"] [line "3"] [id "1000"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/waf_health_check"] [unique_id "1617738366"] [ref "o0,17v5,17"], client: 127.0.0.1, server: , request: "HEAD /waf_health_check HTTP/1.1", host: "www.testhost.com" Nothing is being logged to the audit log though so that's good. I'll continue to investigate. Bren |
|
From: Christian F. <chr...@ne...> - 2021-04-06 20:15:17
|
On Tue, Apr 06, 2021 at 07:57:20PM +0000, Bren via mod-security-users wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Tuesday, April 6th, 2021 at 2:38 PM, Christian Folini <chr...@ne...> wrote: > > > However, this only accounts for the audit log and you said you also got error-log messages and I could not explain those. > > Hmm yeah, I enabled the error log again and those 403s are still being logged there: Having a nolog rule write to the error-log smells like a bug to me. Ahoj, Christian -- I would rather have a mind opened by wonder than one closed by belief. -- Gerry Spence |
Thanks for helping keep SourceForge clean.
X