Thread: [mod-security-users] Why was this request put in the audit log?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: O L. <ne...@pr...> - 2022-11-09 16:23:54
|
Hello, I'm trying to learn to appreciate modsecurity but everything about it is frustrating and confusing to me. I thought I'd try reaching out in hopes someone could help -- this is my last hope before I give up and turn it off. I am using DetectionOnly mode What was this put in the audit log? Why are there so many rules listed? Why can't it just tell me simply what rule triggered the inclusion in the log, rather than 75 lines of gibberish? Is this a bug? --7337282c-A-- [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc (REMOTE_IP) 56866 (MY_IP) 443 --7337282c-B-- GET / HTTP/1.0 --7337282c-F-- HTTP/1.1 308 Permanent Redirect Expect-CT: max-age=604800, enforce, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Referrer-Policy: unsafe-url Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Location: https://othersite/ Content-Length: 428 Connection: close Content-Type: text/html; charset=iso-8859-1 --7337282c-E-- --7337282c-H-- Stopwatch: 1668000670057655 23939 (- - -) Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2. Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 Engine-Mode: "DETECTION_ONLY" --7337282c-K-- SecAction "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" SecRule "&TX:paranoia_level" "@eq 0" "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" SecRule "&TX:executing_paranoia_level" "@eq 0" "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" SecRule "&TX:sampling_percentage" "@eq 0" "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" SecRule "&TX:critical_anomaly_score" "@eq 0" "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" SecRule "&TX:error_anomaly_score" "@eq 0" "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" SecRule "&TX:warning_anomaly_score" "@eq 0" "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" SecRule "&TX:notice_anomaly_score" "@eq 0" "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" SecRule "&TX:do_reput_block" "@eq 0" "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" SecRule "&TX:reput_block_duration" "@eq 0" "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" SecRule "&TX:allowed_methods" "@eq 0" "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" SecRule "&TX:allowed_request_content_type" "@eq 0" "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/x ml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" SecRule "&TX:allowed_request_content_type_charset" "@eq 0" "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" SecRule "&TX:allowed_http_versions" "@eq 0" "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" SecRule "&TX:restricted_extensions" "@eq 0" "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" SecRule "&TX:restricted_headers" "@eq 0" "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'" SecRule "&TX:static_extensions" "@eq 0" "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" SecAction "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" SecAction "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" SecRule "TX:sampling_percentage" "@eq 100" "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" "@eq 0" "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" "@eq 0" "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" "@eq 0" "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq 0" "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" SecRule "&TX:dos_block_timeout" "@eq 0" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" SecRule "RESPONSE_STATUS" "!@rx ^404$" "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" #SecRule "RESPONSE_BODY" "@rx \\bServer Error in.{0,50}?\\bApplication\\b" "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule "TX:PARANOIA_LEVEL" "@ge 1" "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" SecRule "&TX:dos_block_timeout" "@eq 0" SecAction "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt %{tx.inbound_anomaly_score_threshold}" "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANO MALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" SecAction "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt %{tx.outbound_anomaly_score_threshold}" "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBO UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" --7337282c-Z-- Thanks for any help anyone can offer. Sent with [Proton Mail](https://proton.me/) secure email. |
|
From: <az...@po...> - 2022-11-09 16:30:48
|
Hi, what is logged depends on SecAuditLogParts directive in modsecurity.conf. For more info, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts azurit Citát O Lányi via mod-security-users <mod...@li...>: > Hello, > > I'm trying to learn to appreciate modsecurity but everything about > it is frustrating and confusing to me. I thought I'd try reaching > out in hopes someone could help -- this is my last hope before I > give up and turn it off. > > I am using DetectionOnly mode > > What was this put in the audit log? Why are there so many rules > listed? Why can't it just tell me simply what rule triggered the > inclusion in the log, rather than 75 lines of gibberish? Is this a > bug? > > --7337282c-A-- > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > (REMOTE_IP) 56866 (MY_IP) 443 > --7337282c-B-- > GET / HTTP/1.0 > > --7337282c-F-- > HTTP/1.1 308 Permanent Redirect > Expect-CT: max-age=604800, enforce, > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > Referrer-Policy: unsafe-url > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Location: https://othersite/ > Content-Length: 428 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --7337282c-E-- > > --7337282c-H-- > Stopwatch: 1668000670057655 23939 (- - -) > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.9.5 > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > Engine-Mode: "DETECTION_ONLY" > > --7337282c-K-- > SecAction > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > SecRule "&TX:paranoia_level" "@eq 0" > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > SecRule "&TX:executing_paranoia_level" "@eq 0" > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > SecRule "&TX:sampling_percentage" "@eq 0" > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > SecRule "&TX:critical_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > SecRule "&TX:error_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > SecRule "&TX:warning_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > SecRule "&TX:notice_anomaly_score" "@eq 0" > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > SecRule "&TX:do_reput_block" "@eq 0" > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > SecRule "&TX:reput_block_duration" "@eq 0" > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > SecRule "&TX:allowed_methods" "@eq 0" > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST > OPTIONS'" > > SecRule "&TX:allowed_request_content_type" "@eq 0" > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| > |application/x > ml| |application/soap+xml| |application/x-amf| |application/json| > |application/cloudevents+json| |application/cloudevents-batch+json| > |application/octet-stream| |application/csp-report| > |application/xss-auditor-report| |text/plain|'" > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > SecRule "&TX:allowed_http_versions" "@eq 0" > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 > HTTP/2.0'" > > SecRule "&TX:restricted_extensions" "@eq 0" > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ > .dat > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > SecRule "&TX:restricted_headers" "@eq 0" > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ > /if/'" > > SecRule "&TX:static_extensions" "@eq 0" > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ > /.webp/'" > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > SecAction > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > SecAction > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > SecRule "TX:sampling_percentage" "@eq 100" > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > "@eq 0" > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > "@eq 0" > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > "@eq 0" > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > 0" > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > SecRule "&TX:dos_block_timeout" "@eq 0" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > Information Leakage',logdata:'Matched Data: %{TX.0} found within > %{MATCHED_VAR_NAME}: > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > in.{0,50}?\\bApplication\\b" > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > SecRule "&TX:dos_block_timeout" "@eq 0" > > SecAction > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > %{tx.inbound_anomaly_score_threshold}" > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, > %{TX.ANO > MALY_SCORE_PL3}, > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > SecAction > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > %{tx.outbound_anomaly_score_threshold}" > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > individual paranoia level scores: %{TX.OUTBO > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > --7337282c-Z-- > > Thanks for any help anyone can offer. > > Sent with [Proton Mail](https://proton.me/) secure email. |
|
From: O L. <ne...@pr...> - 2022-11-09 16:39:28
|
I understand the logging parts (I turned on additional parts to try to understand why harmless requests are being placed in the audit log), but why was this particular HTTP request put into the audit log at all? What was "wrong" with it? Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, November 9th, 2022 at 10:30 AM, <az...@po...> wrote: > Hi, > > what is logged depends on SecAuditLogParts directive in > modsecurity.conf. For more info, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > azurit > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > Hello, > > > > I'm trying to learn to appreciate modsecurity but everything about > > it is frustrating and confusing to me. I thought I'd try reaching > > out in hopes someone could help -- this is my last hope before I > > give up and turn it off. > > > > I am using DetectionOnly mode > > > > What was this put in the audit log? Why are there so many rules > > listed? Why can't it just tell me simply what rule triggered the > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > bug? > > > > --7337282c-A-- > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > (REMOTE_IP) 56866 (MY_IP) 443 > > --7337282c-B-- > > GET / HTTP/1.0 > > > > --7337282c-F-- > > HTTP/1.1 308 Permanent Redirect > > Expect-CT: max-age=604800, enforce, > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > Referrer-Policy: unsafe-url > > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > > X-Content-Type-Options: nosniff > > X-Frame-Options: SAMEORIGIN > > X-XSS-Protection: 1; mode=block > > Location: https://othersite/ > > Content-Length: 428 > > Connection: close > > Content-Type: text/html; charset=iso-8859-1 > > > > --7337282c-E-- > > > > --7337282c-H-- > > Stopwatch: 1668000670057655 23939 (- - -) > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > Response-Body-Transformed: Dechunked > > Producer: ModSecurity for Apache/2.9.5 > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > Engine-Mode: "DETECTION_ONLY" > > > > --7337282c-K-- > > SecAction > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > SecRule "&TX:paranoia_level" "@eq 0" > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > SecRule "&TX:do_reput_block" "@eq 0" > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > SecRule "&TX:allowed_methods" "@eq 0" > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD POST > > OPTIONS'" > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| > > |application/x > > ml| |application/soap+xml| |application/x-amf| |application/json| > > |application/cloudevents+json| |application/cloudevents-batch+json| > > |application/octet-stream| |application/csp-report| > > |application/xss-auditor-report| |text/plain|'" > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 > > HTTP/2.0'" > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ > > .dat > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > SecRule "&TX:restricted_headers" "@eq 0" > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ > > /if/'" > > > > SecRule "&TX:static_extensions" "@eq 0" > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ > > /.webp/'" > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > SecAction > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > SecAction > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > SecRule "TX:sampling_percentage" "@eq 100" > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > "@eq 0" > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > "@eq 0" > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > "@eq 0" > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > 0" > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > %{MATCHED_VAR_NAME}: > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > in.{0,50}?\\bApplication\\b" > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > SecAction > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > %{tx.inbound_anomaly_score_threshold}" > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, > > %{TX.ANO > > MALY_SCORE_PL3}, > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > SecAction > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > %{tx.outbound_anomaly_score_threshold}" > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > individual paranoia level scores: %{TX.OUTBO > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > --7337282c-Z-- > > > > Thanks for any help anyone can offer. > > > > Sent with Proton Mail secure email. > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-09 16:59:11
|
This depends on the HTTP status code - logged are all requests with status code that matches regexp set in SecAuditLogRelevantStatus directive in modsecurity.conf (i.e. also requests that were NOT blocked may be logged). For more info, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus azurit Citát O Lányi via mod-security-users <mod...@li...>: > I understand the logging parts (I turned on additional parts to try > to understand why harmless requests are being placed in the audit > log), but why was this particular HTTP request put into the audit > log at all? What was "wrong" with it? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Wednesday, November 9th, 2022 at 10:30 AM, <az...@po...> wrote: > > >> Hi, >> >> what is logged depends on SecAuditLogParts directive in >> modsecurity.conf. For more info, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> >> azurit >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > Hello, >> > >> > I'm trying to learn to appreciate modsecurity but everything about >> > it is frustrating and confusing to me. I thought I'd try reaching >> > out in hopes someone could help -- this is my last hope before I >> > give up and turn it off. >> > >> > I am using DetectionOnly mode >> > >> > What was this put in the audit log? Why are there so many rules >> > listed? Why can't it just tell me simply what rule triggered the >> > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > bug? >> > >> > --7337282c-A-- >> > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > (REMOTE_IP) 56866 (MY_IP) 443 >> > --7337282c-B-- >> > GET / HTTP/1.0 >> > >> > --7337282c-F-- >> > HTTP/1.1 308 Permanent Redirect >> > Expect-CT: max-age=604800, enforce, >> > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > Referrer-Policy: unsafe-url >> > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload >> > X-Content-Type-Options: nosniff >> > X-Frame-Options: SAMEORIGIN >> > X-XSS-Protection: 1; mode=block >> > Location: https://othersite/ >> > Content-Length: 428 >> > Connection: close >> > Content-Type: text/html; charset=iso-8859-1 >> > >> > --7337282c-E-- >> > >> > --7337282c-H-- >> > Stopwatch: 1668000670057655 23939 (- - -) >> > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > Response-Body-Transformed: Dechunked >> > Producer: ModSecurity for Apache/2.9.5 >> > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > Engine-Mode: "DETECTION_ONLY" >> > >> > --7337282c-K-- >> > SecAction >> > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > >> > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > >> > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > >> > SecRule "&TX:paranoia_level" "@eq 0" >> > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > >> > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > >> > SecRule "&TX:sampling_percentage" "@eq 0" >> > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > >> > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > >> > SecRule "&TX:error_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > >> > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > >> > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > >> > SecRule "&TX:do_reput_block" "@eq 0" >> > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > >> > SecRule "&TX:reput_block_duration" "@eq 0" >> > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > >> > SecRule "&TX:allowed_methods" "@eq 0" >> > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD >> POST >> > OPTIONS'" >> > >> > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| >> |text/xml| >> > |application/x >> > ml| |application/soap+xml| |application/x-amf| |application/json| >> > |application/cloudevents+json| |application/cloudevents-batch+json| >> > |application/octet-stream| |application/csp-report| >> > |application/xss-auditor-report| |text/plain|'" >> > >> > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > >> > SecRule "&TX:allowed_http_versions" "@eq 0" >> > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 >> HTTP/2 >> > HTTP/2.0'" >> > >> > SecRule "&TX:restricted_extensions" "@eq 0" >> > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ >> .csr/ >> > .dat >> > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ >> > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > >> > SecRule "&TX:restricted_headers" "@eq 0" >> > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ >> /content-range/ >> > /if/'" >> > >> > SecRule "&TX:static_extensions" "@eq 0" >> > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ >> /.svg/ >> > /.webp/'" >> > >> > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > >> > SecAction >> > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > >> > SecAction >> > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > >> > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" >> > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > >> > SecRule "TX:sampling_percentage" "@eq 100" >> > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > >> > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > >> > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > >> > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > >> > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > "@eq 0" >> > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > >> > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > >> > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > 0" >> > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > >> > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > SecRule "&TX:dos_block_timeout" "@eq 0" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > >> > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > %{MATCHED_VAR_NAME}: >> > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > in.{0,50}?\\bApplication\\b" >> > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > >> > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > >> > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > >> > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > SecRule "&TX:dos_block_timeout" "@eq 0" >> > >> > SecAction >> > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > >> > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > %{tx.inbound_anomaly_score_threshold}" >> > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, >> %{TX.ANOMALY_SCORE_PL2}, >> > %{TX.ANO >> > MALY_SCORE_PL3}, >> > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > >> > SecAction >> > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > >> > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > %{tx.outbound_anomaly_score_threshold}" >> > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > individual paranoia level scores: %{TX.OUTBO >> > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > >> > --7337282c-Z-- >> > >> > Thanks for any help anyone can offer. >> > >> > Sent with Proton Mail secure email. >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: O L. <ne...@pr...> - 2022-11-09 17:12:12
|
The response was a 308. 99.999% of 308's are not put in the audit log. Why was this specific one put in the audit log? Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, November 9th, 2022 at 10:58 AM, <az...@po...> wrote: > This depends on the HTTP status code - logged are all requests with > status code that matches regexp set in SecAuditLogRelevantStatus > directive in modsecurity.conf (i.e. also requests that were NOT > blocked may be logged). For more info, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > azurit > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > I understand the logging parts (I turned on additional parts to try > > to understand why harmless requests are being placed in the audit > > log), but why was this particular HTTP request put into the audit > > log at all? What was "wrong" with it? > > > > Sent with Proton Mail secure email. > > > > ------- Original Message ------- > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > Hi, > > > > > > what is logged depends on SecAuditLogParts directive in > > > modsecurity.conf. For more info, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > azurit > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > Hello, > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > out in hopes someone could help -- this is my last hope before I > > > > give up and turn it off. > > > > > > > > I am using DetectionOnly mode > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > listed? Why can't it just tell me simply what rule triggered the > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > bug? > > > > > > > > --7337282c-A-- > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > --7337282c-B-- > > > > GET / HTTP/1.0 > > > > > > > > --7337282c-F-- > > > > HTTP/1.1 308 Permanent Redirect > > > > Expect-CT: max-age=604800, enforce, > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > Referrer-Policy: unsafe-url > > > > Strict-Transport-Security: max-age=31536000; includeSubDomains; preload > > > > X-Content-Type-Options: nosniff > > > > X-Frame-Options: SAMEORIGIN > > > > X-XSS-Protection: 1; mode=block > > > > Location: https://othersite/ > > > > Content-Length: 428 > > > > Connection: close > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > --7337282c-E-- > > > > > > > > --7337282c-H-- > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > Response-Body-Transformed: Dechunked > > > > Producer: ModSecurity for Apache/2.9.5 > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > --7337282c-K-- > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET HEAD > > > POST > > > > > > > OPTIONS'" > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| > > > |text/xml| > > > > > > > |application/x > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > |application/cloudevents+json| |application/cloudevents-batch+json| > > > > |application/octet-stream| |application/csp-report| > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 > > > HTTP/2 > > > > > > > HTTP/2.0'" > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ > > > .csr/ > > > > > > > .dat > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ /lock-token/ > > > /content-range/ > > > > > > > /if/'" > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ > > > /.svg/ > > > > > > > /.webp/'" > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > %{MATCHED_VAR_NAME}: > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > %{tx.inbound_anomaly_score_threshold}" > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > %{TX.ANO > > > > MALY_SCORE_PL3}, > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > %{tx.outbound_anomaly_score_threshold}" > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > individual paranoia level scores: %{TX.OUTBO > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > --7337282c-Z-- > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > Sent with Proton Mail secure email. > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-10 10:40:08
|
Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine Citát O Lányi via mod-security-users <mod...@li...>: > The response was a 308. 99.999% of 308's are not put in the audit > log. Why was this specific one put in the audit log? > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Wednesday, November 9th, 2022 at 10:58 AM, <az...@po...> wrote: > > >> This depends on the HTTP status code - logged are all requests with >> status code that matches regexp set in SecAuditLogRelevantStatus >> directive in modsecurity.conf (i.e. also requests that were NOT >> blocked may be logged). For more info, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> >> azurit >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > I understand the logging parts (I turned on additional parts to try >> > to understand why harmless requests are being placed in the audit >> > log), but why was this particular HTTP request put into the audit >> > log at all? What was "wrong" with it? >> > >> > Sent with Proton Mail secure email. >> > >> > ------- Original Message ------- >> > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >> > >> > > Hi, >> > > >> > > what is logged depends on SecAuditLogParts directive in >> > > modsecurity.conf. For more info, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > azurit >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > Hello, >> > > > >> > > > I'm trying to learn to appreciate modsecurity but everything about >> > > > it is frustrating and confusing to me. I thought I'd try reaching >> > > > out in hopes someone could help -- this is my last hope before I >> > > > give up and turn it off. >> > > > >> > > > I am using DetectionOnly mode >> > > > >> > > > What was this put in the audit log? Why are there so many rules >> > > > listed? Why can't it just tell me simply what rule triggered the >> > > > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > > > bug? >> > > > >> > > > --7337282c-A-- >> > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > --7337282c-B-- >> > > > GET / HTTP/1.0 >> > > > >> > > > --7337282c-F-- >> > > > HTTP/1.1 308 Permanent Redirect >> > > > Expect-CT: max-age=604800, enforce, >> > > > >> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > > Referrer-Policy: unsafe-url >> > > > Strict-Transport-Security: max-age=31536000; >> includeSubDomains; preload >> > > > X-Content-Type-Options: nosniff >> > > > X-Frame-Options: SAMEORIGIN >> > > > X-XSS-Protection: 1; mode=block >> > > > Location: https://othersite/ >> > > > Content-Length: 428 >> > > > Connection: close >> > > > Content-Type: text/html; charset=iso-8859-1 >> > > > >> > > > --7337282c-E-- >> > > > >> > > > --7337282c-H-- >> > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > Response-Body-Transformed: Dechunked >> > > > Producer: ModSecurity for Apache/2.9.5 >> > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > Engine-Mode: "DETECTION_ONLY" >> > > > >> > > > --7337282c-K-- >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> HEAD >> > > POST >> > > >> > > > OPTIONS'" >> > > > >> > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| >> |multipart/related| >> > > |text/xml| >> > > >> > > > |application/x >> > > > ml| |application/soap+xml| |application/x-amf| |application/json| >> > > > |application/cloudevents+json| |application/cloudevents-batch+json| >> > > > |application/octet-stream| |application/csp-report| >> > > > |application/xss-auditor-report| |text/plain|'" >> > > > >> > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> HTTP/1.1 >> > > HTTP/2 >> > > >> > > > HTTP/2.0'" >> > > > >> > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ >> .csproj/ >> > > .csr/ >> > > >> > > > .dat >> > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ >> > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > >> > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> /lock-token/ >> > > /content-range/ >> > > >> > > > /if/'" >> > > > >> > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ >> /.ico/ >> > > /.svg/ >> > > >> > > > /.webp/'" >> > > > >> > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > > > %{MATCHED_VAR_NAME}: >> > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > >> > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > >> > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > %{tx.inbound_anomaly_score_threshold}" >> > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: >> %{TX.ANOMALY_SCORE_PL1}, >> > > %{TX.ANOMALY_SCORE_PL2}, >> > > >> > > > %{TX.ANO >> > > > MALY_SCORE_PL3}, >> > > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > >> > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > %{tx.outbound_anomaly_score_threshold}" >> > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > individual paranoia level scores: %{TX.OUTBO >> > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > >> > > > --7337282c-Z-- >> > > > >> > > > Thanks for any help anyone can offer. >> > > > >> > > > Sent with Proton Mail secure email. >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: O L. <ne...@pr...> - 2022-11-10 14:45:15
|
It's already set like that. ------- Original Message ------- On Thursday, November 10th, 2022 at 4:39 AM, <az...@po...> wrote: > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > The response was a 308. 99.999% of 308's are not put in the audit > > log. Why was this specific one put in the audit log? > > > > Sent with Proton Mail secure email. > > > > ------- Original Message ------- > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > This depends on the HTTP status code - logged are all requests with > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > blocked may be logged). For more info, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > azurit > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > to understand why harmless requests are being placed in the audit > > > > log), but why was this particular HTTP request put into the audit > > > > log at all? What was "wrong" with it? > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > ------- Original Message ------- > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > Hi, > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > modsecurity.conf. For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > azurit > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > mod...@li...: > > > > > > > > > > > Hello, > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > give up and turn it off. > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > bug? > > > > > > > > > > > > --7337282c-A-- > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > --7337282c-B-- > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > --7337282c-F-- > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > includeSubDomains; preload > > > > > > X-Content-Type-Options: nosniff > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > X-XSS-Protection: 1; mode=block > > > > > > Location: https://othersite/ > > > > > > Content-Length: 428 > > > > > > Connection: close > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > --7337282c-H-- > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > Response-Body-Transformed: Dechunked > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > --7337282c-K-- > > > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > HEAD > > > > > > > > POST > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| > > > |multipart/related| > > > > > > > > |text/xml| > > > > > > > > > > > |application/x > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > |application/cloudevents+json| |application/cloudevents-batch+json| > > > > > > |application/octet-stream| |application/csp-report| > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > HTTP/1.1 > > > > > > > > HTTP/2 > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ > > > .csproj/ > > > > > > > > .csr/ > > > > > > > > > > > .dat > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > /lock-token/ > > > > > > > > /content-range/ > > > > > > > > > > > /if/'" > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ > > > /.ico/ > > > > > > > > /.svg/ > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > %{MATCHED_VAR_NAME}: > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > %{TX.ANO > > > > > > MALY_SCORE_PL3}, > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-11 09:51:31
|
Can you upload your modsecurity.conf and crs-setup.conf somewhere? Citát O Lányi via mod-security-users <mod...@li...>: > It's already set like that. > > > > > ------- Original Message ------- > On Thursday, November 10th, 2022 at 4:39 AM, <az...@po...> wrote: > > >> Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > The response was a 308. 99.999% of 308's are not put in the audit >> > log. Why was this specific one put in the audit log? >> > >> > Sent with Proton Mail secure email. >> > >> > ------- Original Message ------- >> > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >> > >> > > This depends on the HTTP status code - logged are all requests with >> > > status code that matches regexp set in SecAuditLogRelevantStatus >> > > directive in modsecurity.conf (i.e. also requests that were NOT >> > > blocked may be logged). For more info, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> > > >> > > azurit >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > I understand the logging parts (I turned on additional parts to try >> > > > to understand why harmless requests are being placed in the audit >> > > > log), but why was this particular HTTP request put into the audit >> > > > log at all? What was "wrong" with it? >> > > > >> > > > Sent with Proton Mail secure email. >> > > > >> > > > ------- Original Message ------- >> > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >> > > > >> > > > > Hi, >> > > > > >> > > > > what is logged depends on SecAuditLogParts directive in >> > > > > modsecurity.conf. For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > > > azurit >> > > > > >> > > > > Citát O Lányi via mod-security-users >> > > > > mod...@li...: >> > > > > >> > > > > > Hello, >> > > > > > >> > > > > > I'm trying to learn to appreciate modsecurity but everything about >> > > > > > it is frustrating and confusing to me. I thought I'd try reaching >> > > > > > out in hopes someone could help -- this is my last hope before I >> > > > > > give up and turn it off. >> > > > > > >> > > > > > I am using DetectionOnly mode >> > > > > > >> > > > > > What was this put in the audit log? Why are there so many rules >> > > > > > listed? Why can't it just tell me simply what rule triggered the >> > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a >> > > > > > bug? >> > > > > > >> > > > > > --7337282c-A-- >> > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > > > --7337282c-B-- >> > > > > > GET / HTTP/1.0 >> > > > > > >> > > > > > --7337282c-F-- >> > > > > > HTTP/1.1 308 Permanent Redirect >> > > > > > Expect-CT: max-age=604800, enforce, >> > > >> > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > >> > > > > > Referrer-Policy: unsafe-url >> > > > > > Strict-Transport-Security: max-age=31536000; >> > > > > > includeSubDomains; preload >> > > > > > X-Content-Type-Options: nosniff >> > > > > > X-Frame-Options: SAMEORIGIN >> > > > > > X-XSS-Protection: 1; mode=block >> > > > > > Location: https://othersite/ >> > > > > > Content-Length: 428 >> > > > > > Connection: close >> > > > > > Content-Type: text/html; charset=iso-8859-1 >> > > > > > >> > > > > > --7337282c-E-- >> > > > > > >> > > > > > --7337282c-H-- >> > > > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >> > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > > > Response-Body-Transformed: Dechunked >> > > > > > Producer: ModSecurity for Apache/2.9.5 >> > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > > > Engine-Mode: "DETECTION_ONLY" >> > > > > > >> > > > > > --7337282c-K-- >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> > > HEAD >> > > >> > > > > POST >> > > > > >> > > > > > OPTIONS'" >> > > > > > >> > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >> |multipart/form-data| >> > > |multipart/related| >> > > >> > > > > |text/xml| >> > > > > >> > > > > > |application/x >> > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| >> > > > > > |application/cloudevents+json| >> |application/cloudevents-batch+json| >> > > > > > |application/octet-stream| |application/csp-report| >> > > > > > |application/xss-auditor-report| |text/plain|'" >> > > > > > >> > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> > > HTTP/1.1 >> > > >> > > > > HTTP/2 >> > > > > >> > > > > > HTTP/2.0'" >> > > > > > >> > > > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >> .cs/ >> > > .csproj/ >> > > >> > > > > .csr/ >> > > > > >> > > > > > .dat >> > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >> > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >> > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >> .vbs/ .vbproj/ >> > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > > > >> > > > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> > > /lock-token/ >> > > >> > > > > /content-range/ >> > > > > >> > > > > > /if/'" >> > > > > > >> > > > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ >> /.css/ >> > > /.ico/ >> > > >> > > > > /.svg/ >> > > > > >> > > > > > /.webp/'" >> > > > > > >> > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > > > SecRule "REQBODY_PROCESSOR" "!@rx >> (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > > > SecRule >> "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within >> > > > > > %{MATCHED_VAR_NAME}: >> > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > >> > > > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > > > >> > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > > > %{tx.inbound_anomaly_score_threshold}" >> > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level >> scores: >> > > %{TX.ANOMALY_SCORE_PL1}, >> > > >> > > > > %{TX.ANOMALY_SCORE_PL2}, >> > > > > >> > > > > > %{TX.ANO >> > > > > > MALY_SCORE_PL3}, >> > > >> > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > >> > > > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > > > %{tx.outbound_anomaly_score_threshold}" >> > > > > > >> "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > > > individual paranoia level scores: %{TX.OUTBO >> > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > >> > > > > > --7337282c-Z-- >> > > > > > >> > > > > > Thanks for any help anyone can offer. >> > > > > > >> > > > > > Sent with Proton Mail secure email. >> > > > > >> > > > > _______________________________________________ >> > > > > mod-security-users mailing list >> > > > > mod...@li... >> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > >> > > > _______________________________________________ >> > > > mod-security-users mailing list >> > > > mod...@li... >> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: O L. <ne...@pr...> - 2022-11-12 00:42:12
|
modsecurity.conf: https://pastebin.com/ZggGuyKG crs-setup.conf: https://pastebin.com/s11sF0pj It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason testing with curl: HTTP/1.0 HTTPS with no host header = LOGGED HTTP/1.0 HTTPS with host header = not logged HTTP/1.0 HTTP with no host header = not logged HTTP/1.0 HTTP with host header = not logged HTTP/1.1 HTTPS with no host header = not logged HTTP/1.1 HTTPS with host header = not logged HTTP/1.1 HTTP with no host header = not logged HTTP/1.1 HTTP with host header = not logged but why? Sent with Proton Mail secure email. ------- Original Message ------- On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > Can you upload your modsecurity.conf and crs-setup.conf somewhere? > > > > > Citát O Lányi via mod-security-users > mod...@li...: > > > It's already set like that. > > > > ------- Original Message ------- > > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: > > > > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > > Citát O Lányi via mod-security-users > > > mod...@li...: > > > > > > > The response was a 308. 99.999% of 308's are not put in the audit > > > > log. Why was this specific one put in the audit log? > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > ------- Original Message ------- > > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > > > > > This depends on the HTTP status code - logged are all requests with > > > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > > > blocked may be logged). For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > > > azurit > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > mod...@li...: > > > > > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > > > to understand why harmless requests are being placed in the audit > > > > > > log), but why was this particular HTTP request put into the audit > > > > > > log at all? What was "wrong" with it? > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > ------- Original Message ------- > > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > > > modsecurity.conf. For more info, see: > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > > > azurit > > > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > > mod...@li...: > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > > > give up and turn it off. > > > > > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > > > bug? > > > > > > > > > > > > > > > > --7337282c-A-- > > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > > > --7337282c-B-- > > > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > > > > > --7337282c-F-- > > > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > > > includeSubDomains; preload > > > > > > > > X-Content-Type-Options: nosniff > > > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > > > X-XSS-Protection: 1; mode=block > > > > > > > > Location: https://othersite/ > > > > > > > > Content-Length: 428 > > > > > > > > Connection: close > > > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > > > > > --7337282c-H-- > > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > > > Response-Body-Transformed: Dechunked > > > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > > > > > --7337282c-K-- > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > > > > > > HEAD > > > > > > > > > > > > POST > > > > > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| > > > |multipart/form-data| > > > > > > > > |multipart/related| > > > > > > > > > > > > |text/xml| > > > > > > > > > > > > > > > |application/x > > > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > > > |application/cloudevents+json| > > > > > > > > |application/cloudevents-batch+json| > > > > > > > > |application/octet-stream| |application/csp-report| > > > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > > > > > > HTTP/1.1 > > > > > > > > > > > > HTTP/2 > > > > > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > > > .cs/ > > > > > > > > .csproj/ > > > > > > > > > > > > .csr/ > > > > > > > > > > > > > > > .dat > > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ > > > > > > > > .vbs/ .vbproj/ > > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > > > > > > /lock-token/ > > > > > > > > > > > > /content-range/ > > > > > > > > > > > > > > > /if/'" > > > > > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ > > > /.css/ > > > > > > > > /.ico/ > > > > > > > > > > > > /.svg/ > > > > > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > > > SecAction > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx > > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > > > "@eq 0" > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > > > SecRule > > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > > > 0" > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > > > %{MATCHED_VAR_NAME}: > > > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level > > > scores: > > > > > > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > > > > > %{TX.ANO > > > > > > > > MALY_SCORE_PL3}, > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > SecAction > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-11-12 06:46:00
|
You said you are only learning ModSecurity so you should NOT modify advanced settings like SecAuditLogRelevantStatus and SecAuditLogParts. I suggest you to use default values at least for these two because what you are experiencing is probably some kind of misconfiguration. SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIJDEFHZ Also, disable SecStatusEngine as it already doesn't work (as ModSecurity authors disabled server side part of this service). Citát O Lányi via mod-security-users <mod...@li...>: > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have > a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > > >> Can you upload your modsecurity.conf and crs-setup.conf somewhere? >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >> > It's already set like that. >> > >> > ------- Original Message ------- >> > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: >> > >> > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >> > > >> > > Citát O Lányi via mod-security-users >> > > mod...@li...: >> > > >> > > > The response was a 308. 99.999% of 308's are not put in the audit >> > > > log. Why was this specific one put in the audit log? >> > > > >> > > > Sent with Proton Mail secure email. >> > > > >> > > > ------- Original Message ------- >> > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >> > > > >> > > > > This depends on the HTTP status code - logged are all requests with >> > > > > status code that matches regexp set in SecAuditLogRelevantStatus >> > > > > directive in modsecurity.conf (i.e. also requests that were NOT >> > > > > blocked may be logged). For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >> > > >> > > > > azurit >> > > > > >> > > > > Citát O Lányi via mod-security-users >> > > > > mod...@li...: >> > > > > >> > > > > > I understand the logging parts (I turned on additional >> parts to try >> > > > > > to understand why harmless requests are being placed in the audit >> > > > > > log), but why was this particular HTTP request put into the audit >> > > > > > log at all? What was "wrong" with it? >> > > > > > >> > > > > > Sent with Proton Mail secure email. >> > > > > > >> > > > > > ------- Original Message ------- >> > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, >> az...@po... wrote: >> > > > > > >> > > > > > > Hi, >> > > > > > > >> > > > > > > what is logged depends on SecAuditLogParts directive in >> > > > > > > modsecurity.conf. For more info, see: >> > > >> > > >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >> > > >> > > > > > > azurit >> > > > > > > >> > > > > > > Citát O Lányi via mod-security-users >> > > > > > > mod...@li...: >> > > > > > > >> > > > > > > > Hello, >> > > > > > > > >> > > > > > > > I'm trying to learn to appreciate modsecurity but >> everything about >> > > > > > > > it is frustrating and confusing to me. I thought I'd >> try reaching >> > > > > > > > out in hopes someone could help -- this is my last >> hope before I >> > > > > > > > give up and turn it off. >> > > > > > > > >> > > > > > > > I am using DetectionOnly mode >> > > > > > > > >> > > > > > > > What was this put in the audit log? Why are there so >> many rules >> > > > > > > > listed? Why can't it just tell me simply what rule >> triggered the >> > > > > > > > inclusion in the log, rather than 75 lines of >> gibberish? Is this a >> > > > > > > > bug? >> > > > > > > > >> > > > > > > > --7337282c-A-- >> > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] >> Y2urnn_-qYUkdqabPHje9QAAAFc >> > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 >> > > > > > > > --7337282c-B-- >> > > > > > > > GET / HTTP/1.0 >> > > > > > > > >> > > > > > > > --7337282c-F-- >> > > > > > > > HTTP/1.1 308 Permanent Redirect >> > > > > > > > Expect-CT: max-age=604800, enforce, >> > > > > >> > > > > >> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >> > > > > >> > > > > > > > Referrer-Policy: unsafe-url >> > > > > > > > Strict-Transport-Security: max-age=31536000; >> > > > > > > > includeSubDomains; preload >> > > > > > > > X-Content-Type-Options: nosniff >> > > > > > > > X-Frame-Options: SAMEORIGIN >> > > > > > > > X-XSS-Protection: 1; mode=block >> > > > > > > > Location: https://othersite/ >> > > > > > > > Content-Length: 428 >> > > > > > > > Connection: close >> > > > > > > > Content-Type: text/html; charset=iso-8859-1 >> > > > > > > > >> > > > > > > > --7337282c-E-- >> > > > > > > > >> > > > > > > > --7337282c-H-- >> > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) >> > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, >> p1=578, p2=0, >> > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >> > > > > > > > Response-Body-Transformed: Dechunked >> > > > > > > > Producer: ModSecurity for Apache/2.9.5 >> > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >> > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >> > > > > > > > Engine-Mode: "DETECTION_ONLY" >> > > > > > > > >> > > > > > > > --7337282c-K-- >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >> > > >> > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >> > > >> > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >> > > >> > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >> > > >> > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >> > > >> > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >> > > >> > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >> > > >> > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >> > > >> > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >> > > >> > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >> > > >> > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >> > > >> > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >> > > >> > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >> > > >> > > > > HEAD >> > > > > >> > > > > > > POST >> > > > > > > >> > > > > > > > OPTIONS'" >> > > > > > > > >> > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >> > > |multipart/form-data| >> > > >> > > > > |multipart/related| >> > > > > >> > > > > > > |text/xml| >> > > > > > > >> > > > > > > > |application/x >> > > > > > > > ml| |application/soap+xml| |application/x-amf| >> |application/json| >> > > > > > > > |application/cloudevents+json| >> > > > > > > > |application/cloudevents-batch+json| >> > > > > > > > |application/octet-stream| |application/csp-report| >> > > > > > > > |application/xss-auditor-report| |text/plain|'" >> > > > > > > > >> > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >> > > >> > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >> > > >> > > > > HTTP/1.1 >> > > > > >> > > > > > > HTTP/2 >> > > > > > > >> > > > > > > > HTTP/2.0'" >> > > > > > > > >> > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ >> .conf/ >> > > .cs/ >> > > >> > > > > .csproj/ >> > > > > >> > > > > > > .csr/ >> > > > > > > >> > > > > > > > .dat >> > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ >> .idq/ .inc/ .ini/ >> > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ >> .pol/ .printer/ >> > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >> > > > > > > > .vbs/ .vbproj/ >> > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >> > > >> > > > > /lock-token/ >> > > > > >> > > > > > > /content-range/ >> > > > > > > >> > > > > > > > /if/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:static_extensions" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ >> /.js/ >> > > /.css/ >> > > >> > > > > /.ico/ >> > > > > >> > > > > > > /.svg/ >> > > > > > > >> > > > > > > > /.webp/'" >> > > > > > > > >> > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >> > > >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >> > > >> > > >> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >> > > >> > > >> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >> > > >> > > > > > > > SecAction >> > > >> > > >> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >> > > >> > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx >> > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" >> > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >> > > >> > > >> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >> > > >> > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" >> > > >> > > >> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >> > > >> > > > > > > > SecRule >> "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >> > > > > > > > "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >> > > >> > > > > > > > SecRule >> > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >> > > > > > > > 0" >> > > >> > > >> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >> > > >> > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >> > > >> > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" >> > > > > > > > >> "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >> > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} >> found within >> > > > > > > > %{MATCHED_VAR_NAME}: >> > > > > > > > >> %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >> > > >> > > >> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >> > > >> > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error >> > > > > > > > in.{0,50}?\\bApplication\\b" >> > > >> > > >> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >> > > >> > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" >> > > >> > > >> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >> > > >> > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >> > > >> > > >> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >> > > >> > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" >> > > >> > > >> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >> > > >> > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >> > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" >> > > > > > > > >> > > > > > > > SecAction >> > > >> > > >> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >> > > >> > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >> > > > > > > > >> > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >> > > > > > > > %{tx.inbound_anomaly_score_threshold}" >> > > > > > > > >> "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >> > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >> > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >> > > >> > > >> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia >> level >> > > scores: >> > > >> > > > > %{TX.ANOMALY_SCORE_PL1}, >> > > > > >> > > > > > > %{TX.ANOMALY_SCORE_PL2}, >> > > > > > > >> > > > > > > > %{TX.ANO >> > > > > > > > MALY_SCORE_PL3}, >> > > >> > > >> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > > > >> > > > > > > > SecAction >> > > >> > > >> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >> > > >> > > >> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >> > > >> > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >> > > > > > > > %{tx.outbound_anomaly_score_threshold}" >> > > >> > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >> > > >> > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >> > > > > > > > individual paranoia level scores: %{TX.OUTBO >> > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >> > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >> > > >> > > >> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >> > > >> > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >> > > > > > > > >> > > > > > > > --7337282c-Z-- >> > > > > > > > >> > > > > > > > Thanks for any help anyone can offer. >> > > > > > > > >> > > > > > > > Sent with Proton Mail secure email. >> > > > > > > >> > > > > > > _______________________________________________ >> > > > > > > mod-security-users mailing list >> > > > > > > mod...@li... >> > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> > > > > > > SpiderLabs: >> > > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > > >> > > > > > _______________________________________________ >> > > > > > mod-security-users mailing list >> > > > > > mod...@li... >> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > >> > > > > _______________________________________________ >> > > > > mod-security-users mailing list >> > > > > mod...@li... >> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > >> > > > _______________________________________________ >> > > > mod-security-users mailing list >> > > > mod...@li... >> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2022-11-12 08:24:04
|
Hi there, Would you mind sharing the logfile for those alerts? Ideally with the individual requests triggering them. Best, Christian On Sat, Nov 12, 2022 at 12:41:45AM +0000, O Lányi via mod-security-users wrote: > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- > On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: > > > > Can you upload your modsecurity.conf and crs-setup.conf somewhere? > > > > > > > > > > Citát O Lányi via mod-security-users > > mod...@li...: > > > > > It's already set like that. > > > > > > ------- Original Message ------- > > > On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: > > > > > > > Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine > > > > > > > > Citát O Lányi via mod-security-users > > > > mod...@li...: > > > > > > > > > The response was a 308. 99.999% of 308's are not put in the audit > > > > > log. Why was this specific one put in the audit log? > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > ------- Original Message ------- > > > > > On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: > > > > > > > > > > > This depends on the HTTP status code - logged are all requests with > > > > > > status code that matches regexp set in SecAuditLogRelevantStatus > > > > > > directive in modsecurity.conf (i.e. also requests that were NOT > > > > > > blocked may be logged). For more info, see: > > > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus > > > > > > > > > > azurit > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > mod...@li...: > > > > > > > > > > > > > I understand the logging parts (I turned on additional parts to try > > > > > > > to understand why harmless requests are being placed in the audit > > > > > > > log), but why was this particular HTTP request put into the audit > > > > > > > log at all? What was "wrong" with it? > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > ------- Original Message ------- > > > > > > > On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > what is logged depends on SecAuditLogParts directive in > > > > > > > > modsecurity.conf. For more info, see: > > > > > > > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts > > > > > > > > > > > > azurit > > > > > > > > > > > > > > > > Citát O Lányi via mod-security-users > > > > > > > > mod...@li...: > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > I'm trying to learn to appreciate modsecurity but everything about > > > > > > > > > it is frustrating and confusing to me. I thought I'd try reaching > > > > > > > > > out in hopes someone could help -- this is my last hope before I > > > > > > > > > give up and turn it off. > > > > > > > > > > > > > > > > > > I am using DetectionOnly mode > > > > > > > > > > > > > > > > > > What was this put in the audit log? Why are there so many rules > > > > > > > > > listed? Why can't it just tell me simply what rule triggered the > > > > > > > > > inclusion in the log, rather than 75 lines of gibberish? Is this a > > > > > > > > > bug? > > > > > > > > > > > > > > > > > > --7337282c-A-- > > > > > > > > > [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc > > > > > > > > > (REMOTE_IP) 56866 (MY_IP) 443 > > > > > > > > > --7337282c-B-- > > > > > > > > > GET / HTTP/1.0 > > > > > > > > > > > > > > > > > > --7337282c-F-- > > > > > > > > > HTTP/1.1 308 Permanent Redirect > > > > > > > > > Expect-CT: max-age=604800, enforce, > > > > > > > > > > > > report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" > > > > > > > > > > > > > > > Referrer-Policy: unsafe-url > > > > > > > > > Strict-Transport-Security: max-age=31536000; > > > > > > > > > includeSubDomains; preload > > > > > > > > > X-Content-Type-Options: nosniff > > > > > > > > > X-Frame-Options: SAMEORIGIN > > > > > > > > > X-XSS-Protection: 1; mode=block > > > > > > > > > Location: https://othersite/ > > > > > > > > > Content-Length: 428 > > > > > > > > > Connection: close > > > > > > > > > Content-Type: text/html; charset=iso-8859-1 > > > > > > > > > > > > > > > > > > --7337282c-E-- > > > > > > > > > > > > > > > > > > --7337282c-H-- > > > > > > > > > Stopwatch: 1668000670057655 23939 (- - -) > > > > > > > > > Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, > > > > > > > > > p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 > > > > > > > > > Response-Body-Transformed: Dechunked > > > > > > > > > Producer: ModSecurity for Apache/2.9.5 > > > > > > > > > (http://www.modsecurity.org/); OWASP_CRS/3.3.2. > > > > > > > > > Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 > > > > > > > > > Engine-Mode: "DETECTION_ONLY" > > > > > > > > > > > > > > > > > > --7337282c-K-- > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" > > > > > > > > > > > > > SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" > > > > > > > > > > > > > SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" > > > > > > > > > > > > > SecRule "&TX:paranoia_level" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" > > > > > > > > > > > > > SecRule "&TX:executing_paranoia_level" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" > > > > > > > > > > > > > SecRule "&TX:sampling_percentage" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" > > > > > > > > > > > > > SecRule "&TX:critical_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" > > > > > > > > > > > > > SecRule "&TX:error_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" > > > > > > > > > > > > > SecRule "&TX:warning_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" > > > > > > > > > > > > > SecRule "&TX:notice_anomaly_score" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" > > > > > > > > > > > > > SecRule "&TX:do_reput_block" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" > > > > > > > > > > > > > SecRule "&TX:reput_block_duration" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" > > > > > > > > > > > > > SecRule "&TX:allowed_methods" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET > > > > > > > > > > HEAD > > > > > > > > > > > > > > POST > > > > > > > > > > > > > > > > > OPTIONS'" > > > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| > > > > |multipart/form-data| > > > > > > > > > > |multipart/related| > > > > > > > > > > > > > > |text/xml| > > > > > > > > > > > > > > > > > |application/x > > > > > > > > > ml| |application/soap+xml| |application/x-amf| |application/json| > > > > > > > > > |application/cloudevents+json| > > > > > > > > > |application/cloudevents-batch+json| > > > > > > > > > |application/octet-stream| |application/csp-report| > > > > > > > > > |application/xss-auditor-report| |text/plain|'" > > > > > > > > > > > > > > > > > > SecRule "&TX:allowed_request_content_type_charset" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" > > > > > > > > > > > > > SecRule "&TX:allowed_http_versions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 > > > > > > > > > > HTTP/1.1 > > > > > > > > > > > > > > HTTP/2 > > > > > > > > > > > > > > > > > HTTP/2.0'" > > > > > > > > > > > > > > > > > > SecRule "&TX:restricted_extensions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ > > > > .cs/ > > > > > > > > > > .csproj/ > > > > > > > > > > > > > > .csr/ > > > > > > > > > > > > > > > > > .dat > > > > > > > > > / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ > > > > > > > > > .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ > > > > > > > > > .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ > > > > > > > > > .vbs/ .vbproj/ > > > > > > > > > .vsdisco/ .webinfo/ .xsd/ .xsx/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:restricted_headers" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ > > > > > > > > > > /lock-token/ > > > > > > > > > > > > > > /content-range/ > > > > > > > > > > > > > > > > > /if/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:static_extensions" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ > > > > /.css/ > > > > > > > > > > /.ico/ > > > > > > > > > > > > > > /.svg/ > > > > > > > > > > > > > > > > > /.webp/'" > > > > > > > > > > > > > > > > > > SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" > > > > > > > > "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" > > > > > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 > > > > > > > > ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco > > > > > > > > re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" > > > > > > > > > > > > > SecAction > > > > > > > > "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" > > > > > > > > > > > > > SecRule "REQBODY_PROCESSOR" "!@rx > > > > > > > > > (?:URLENCODED|MULTIPART|XML|JSON)" > > > > > > > > > "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body > > > > > > > > inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" > > > > > > > > > > > > > SecRule "TX:sampling_percentage" "@eq 100" > > > > > > > > "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" > > > > > > > > "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" > > > > > > > > > > > > > SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" > > > > > > > > > "@eq 0" > > > > > > > > "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" > > > > > > > > "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" > > > > > > > > > > > > > SecRule > > > > > > > > > "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq > > > > > > > > > 0" > > > > > > > > "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" > > > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > > > "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" > > > > > > > > > > > > > SecRule "RESPONSE_STATUS" "!@rx ^404$" > > > > > > > > > "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS > > > > > > > > > Information Leakage',logdata:'Matched Data: %{TX.0} found within > > > > > > > > > %{MATCHED_VAR_NAME}: > > > > > > > > > %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla > > > > > > > > tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" > > > > > > > > > > > > > #SecRule "RESPONSE_BODY" "@rx \\bServer Error > > > > > > > > > in.{0,50}?\\bApplication\\b" > > > > > > > > "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" > > > > > > > > > > > > > SecRule "TX:PARANOIA_LEVEL" "@ge 1" > > > > > > > > "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" > > > > > > > > > > > > > SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" > > > > > > > > "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" > > > > > > > > > > > > > SecRule "&TX:dos_burst_time_slice" "@eq 0" > > > > > > > > "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" > > > > > > > > > > > > > SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" > > > > > > > > > SecRule "&TX:dos_block_timeout" "@eq 0" > > > > > > > > > > > > > > > > > > SecAction > > > > > > > > "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} > > > > > > > > > > > > > ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" > > > > > > > > > > > > > > > > > > SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt > > > > > > > > > %{tx.inbound_anomaly_score_threshold}" > > > > > > > > > "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly > > > > > > > > > Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - > > > > > > > > > SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score > > > > > > > > },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level > > > > scores: > > > > > > > > > > %{TX.ANOMALY_SCORE_PL1}, > > > > > > > > > > > > > > %{TX.ANOMALY_SCORE_PL2}, > > > > > > > > > > > > > > > > > %{TX.ANO > > > > > > > > > MALY_SCORE_PL3}, > > > > > > > > %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > > > SecAction > > > > > > > > "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. > > > > > > > > outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" > > > > > > > > > > > > > SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt > > > > > > > > > %{tx.outbound_anomaly_score_threshold}" > > > > > > > > "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly > > > > > > > > > > > > > Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): > > > > > > > > > individual paranoia level scores: %{TX.OUTBO > > > > > > > > > UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, > > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, > > > > > > > > %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" > > > > > > > > > > > > > #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" > > > > > > > > > > > > > > > > > > --7337282c-Z-- > > > > > > > > > > > > > > > > > > Thanks for any help anyone can offer. > > > > > > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > mod-security-users mailing list > > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > > > > > > SpiderLabs: > > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Arlen W. <pu...@ar...> - 2022-11-13 00:49:31
|
What’s the current paranoia level set to? Some levels require a Host header to be present. Sent from my iPad > On Nov 11, 2022, at 6:43 PM, O Lányi via mod-security-users <mod...@li...> wrote: > > modsecurity.conf: https://pastebin.com/ZggGuyKG > crs-setup.conf: https://pastebin.com/s11sF0pj > > It seems to be logging any HTTP/1.0 HTTPS request that does not have a Host: header, for some reason > > testing with curl: > > HTTP/1.0 HTTPS with no host header = LOGGED > HTTP/1.0 HTTPS with host header = not logged > HTTP/1.0 HTTP with no host header = not logged > HTTP/1.0 HTTP with host header = not logged > HTTP/1.1 HTTPS with no host header = not logged > HTTP/1.1 HTTPS with host header = not logged > HTTP/1.1 HTTP with no host header = not logged > HTTP/1.1 HTTP with host header = not logged > > but why? > > > > > Sent with Proton Mail secure email. > > ------- Original Message ------- >> On Friday, November 11th, 2022 at 3:51 AM, <az...@po...> wrote: >> >> >> Can you upload your modsecurity.conf and crs-setup.conf somewhere? >> >> >> >> >> Citát O Lányi via mod-security-users >> mod...@li...: >> >>> It's already set like that. >>> >>> ------- Original Message ------- >>>> On Thursday, November 10th, 2022 at 4:39 AM, az...@po... wrote: >>> >>>> Try setting SecAuditEngine to RelevantOnly in modsecurity.conf, see: >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditengine >>>> >>>> Citát O Lányi via mod-security-users >>>> mod...@li...: >>>> >>>>> The response was a 308. 99.999% of 308's are not put in the audit >>>>> log. Why was this specific one put in the audit log? >>>>> >>>>> Sent with Proton Mail secure email. >>>>> >>>>> ------- Original Message ------- >>>>> On Wednesday, November 9th, 2022 at 10:58 AM, az...@po... wrote: >>>>> >>>>>> This depends on the HTTP status code - logged are all requests with >>>>>> status code that matches regexp set in SecAuditLogRelevantStatus >>>>>> directive in modsecurity.conf (i.e. also requests that were NOT >>>>>> blocked may be logged). For more info, see: >>>> >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogrelevantstatus >>>> >>>>>> azurit >>>>>> >>>>>> Citát O Lányi via mod-security-users >>>>>> mod...@li...: >>>>>> >>>>>>> I understand the logging parts (I turned on additional parts to try >>>>>>> to understand why harmless requests are being placed in the audit >>>>>>> log), but why was this particular HTTP request put into the audit >>>>>>> log at all? What was "wrong" with it? >>>>>>> >>>>>>> Sent with Proton Mail secure email. >>>>>>> >>>>>>> ------- Original Message ------- >>>>>>> On Wednesday, November 9th, 2022 at 10:30 AM, az...@po... wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> what is logged depends on SecAuditLogParts directive in >>>>>>>> modsecurity.conf. For more info, see: >>>> >>>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogparts >>>> >>>>>>>> azurit >>>>>>>> >>>>>>>> Citát O Lányi via mod-security-users >>>>>>>> mod...@li...: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I'm trying to learn to appreciate modsecurity but everything about >>>>>>>>> it is frustrating and confusing to me. I thought I'd try reaching >>>>>>>>> out in hopes someone could help -- this is my last hope before I >>>>>>>>> give up and turn it off. >>>>>>>>> >>>>>>>>> I am using DetectionOnly mode >>>>>>>>> >>>>>>>>> What was this put in the audit log? Why are there so many rules >>>>>>>>> listed? Why can't it just tell me simply what rule triggered the >>>>>>>>> inclusion in the log, rather than 75 lines of gibberish? Is this a >>>>>>>>> bug? >>>>>>>>> >>>>>>>>> --7337282c-A-- >>>>>>>>> [09/Nov/2022:07:31:10.081483 --0600] Y2urnn_-qYUkdqabPHje9QAAAFc >>>>>>>>> (REMOTE_IP) 56866 (MY_IP) 443 >>>>>>>>> --7337282c-B-- >>>>>>>>> GET / HTTP/1.0 >>>>>>>>> >>>>>>>>> --7337282c-F-- >>>>>>>>> HTTP/1.1 308 Permanent Redirect >>>>>>>>> Expect-CT: max-age=604800, enforce, >>>>>> >>>>>> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" >>>>>> >>>>>>>>> Referrer-Policy: unsafe-url >>>>>>>>> Strict-Transport-Security: max-age=31536000; >>>>>>>>> includeSubDomains; preload >>>>>>>>> X-Content-Type-Options: nosniff >>>>>>>>> X-Frame-Options: SAMEORIGIN >>>>>>>>> X-XSS-Protection: 1; mode=block >>>>>>>>> Location: https://othersite/ >>>>>>>>> Content-Length: 428 >>>>>>>>> Connection: close >>>>>>>>> Content-Type: text/html; charset=iso-8859-1 >>>>>>>>> >>>>>>>>> --7337282c-E-- >>>>>>>>> >>>>>>>>> --7337282c-H-- >>>>>>>>> Stopwatch: 1668000670057655 23939 (- - -) >>>>>>>>> Stopwatch2: 1668000670057655 23939; combined=976, p1=578, p2=0, >>>>>>>>> p3=48, p4=171, p5=179, sr=131, sw=0, l=0, gc=0 >>>>>>>>> Response-Body-Transformed: Dechunked >>>>>>>>> Producer: ModSecurity for Apache/2.9.5 >>>>>>>>> (http://www.modsecurity.org/); OWASP_CRS/3.3.2. >>>>>>>>> Server: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 >>>>>>>>> Engine-Mode: "DETECTION_ONLY" >>>>>>>>> >>>>>>>>> --7337282c-K-- >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=332" >>>> >>>>>>>>> SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901100,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.inbound_anomaly_score_threshold=5" >>>> >>>>>>>>> SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901110,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.outbound_anomaly_score_threshold=4" >>>> >>>>>>>>> SecRule "&TX:paranoia_level" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901120,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.paranoia_level=1" >>>> >>>>>>>>> SecRule "&TX:executing_paranoia_level" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901125,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}" >>>> >>>>>>>>> SecRule "&TX:sampling_percentage" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901130,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.sampling_percentage=100" >>>> >>>>>>>>> SecRule "&TX:critical_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901140,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.critical_anomaly_score=5" >>>> >>>>>>>>> SecRule "&TX:error_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901141,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.error_anomaly_score=4" >>>> >>>>>>>>> SecRule "&TX:warning_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901142,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.warning_anomaly_score=3" >>>> >>>>>>>>> SecRule "&TX:notice_anomaly_score" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901143,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.notice_anomaly_score=2" >>>> >>>>>>>>> SecRule "&TX:do_reput_block" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901150,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.do_reput_block=0" >>>> >>>>>>>>> SecRule "&TX:reput_block_duration" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901152,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.reput_block_duration=300" >>>> >>>>>>>>> SecRule "&TX:allowed_methods" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901160,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_methods=GET >>>> >>>>>> HEAD >>>>>> >>>>>>>> POST >>>>>>>> >>>>>>>>> OPTIONS'" >>>>>>>>> >>>>>>>>> SecRule "&TX:allowed_request_content_type" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901162,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| >>>> |multipart/form-data| >>>> >>>>>> |multipart/related| >>>>>> >>>>>>>> |text/xml| >>>>>>>> >>>>>>>>> |application/x >>>>>>>>> ml| |application/soap+xml| |application/x-amf| |application/json| >>>>>>>>> |application/cloudevents+json| >>>>>>>>> |application/cloudevents-batch+json| >>>>>>>>> |application/octet-stream| |application/csp-report| >>>>>>>>> |application/xss-auditor-report| |text/plain|'" >>>>>>>>> >>>>>>>>> SecRule "&TX:allowed_request_content_type_charset" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901168,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252" >>>> >>>>>>>>> SecRule "&TX:allowed_http_versions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901163,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.allowed_http_versions=HTTP/1.0 >>>> >>>>>> HTTP/1.1 >>>>>> >>>>>>>> HTTP/2 >>>>>>>> >>>>>>>>> HTTP/2.0'" >>>>>>>>> >>>>>>>>> SecRule "&TX:restricted_extensions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901164,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ >>>> .cs/ >>>> >>>>>> .csproj/ >>>>>> >>>>>>>> .csr/ >>>>>>>> >>>>>>>>> .dat >>>>>>>>> / .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ >>>>>>>>> .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ >>>>>>>>> .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ >>>>>>>>> .vbs/ .vbproj/ >>>>>>>>> .vsdisco/ .webinfo/ .xsd/ .xsx/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:restricted_headers" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901165,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.restricted_headers=/proxy/ >>>> >>>>>> /lock-token/ >>>>>> >>>>>>>> /content-range/ >>>>>>>> >>>>>>>>> /if/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:static_extensions" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901166,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ >>>> /.css/ >>>> >>>>>> /.ico/ >>>>>> >>>>>>>> /.svg/ >>>>>>>> >>>>>>>>> /.webp/'" >>>>>>>>> >>>>>>>>> SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" >>>> >>>> "phase:1,auditlog,id:901167,pass,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.enforce_bodyproc_urlencoded=0" >>>> >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:901200,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0 >>>> >>>> ,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_sco >>>> >>>> re=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0" >>>> >>>>>>>>> SecAction >>>> >>>> "phase:1,auditlog,id:901321,pass,t:none,nolog,ver:OWASP_CRS/3.3.2,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}" >>>> >>>>>>>>> SecRule "REQBODY_PROCESSOR" "!@rx >>>>>>>>> (?:URLENCODED|MULTIPART|XML|JSON)" >>>>>>>>> "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body >>>> >>>> inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.3.2" >>>> >>>>>>>>> SecRule "TX:sampling_percentage" "@eq 100" >>>> >>>> "phase:1,auditlog,id:901400,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-SAMPLING" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" >>>> >>>> "phase:1,auditlog,id:9001000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DRUPAL-RULE-EXCLUSIONS" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9002000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-WORDPRESS" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9003000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-NEXTCLOUD" >>>> >>>>>>>>> SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" >>>>>>>>> "@eq 0" >>>> >>>> "phase:1,auditlog,id:9004000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-DOKUWIKI" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" >>>> >>>> "phase:1,auditlog,id:9005000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-CPANEL" >>>> >>>>>>>>> SecRule >>>>>>>>> "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq >>>>>>>>> 0" >>>> >>>> "phase:1,auditlog,id:9006000,t:none,nolog,ver:OWASP_CRS/3.3.2,skipAfter:END-XENFORO" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" >>>> >>>>>>>>> SecRule "&TX:dos_burst_time_slice" "@eq 0" >>>> >>>> "phase:1,auditlog,id:912100,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >>>> >>>>>>>>> SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >>>>>>>>> SecRule "&TX:dos_block_timeout" "@eq 0" >>>>>>>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" >>>> >>>>>>>>> SecRule "RESPONSE_STATUS" "!@rx ^404$" >>>>>>>>> "phase:4,nolog,auditlog,id:954130,block,capture,t:none,msg:'IIS >>>>>>>>> Information Leakage',logdata:'Matched Data: %{TX.0} found within >>>>>>>>> %{MATCHED_VAR_NAME}: >>>>>>>>> %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:pla >>>> >>>> tform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.3.2,severity:ERROR,chain" >>>> >>>>>>>>> #SecRule "RESPONSE_BODY" "@rx \\bServer Error >>>>>>>>> in.{0,50}?\\bApplication\\b" >>>> >>>> "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" >>>> >>>>>>>>> SecRule "TX:PARANOIA_LEVEL" "@ge 1" >>>> >>>> "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}" >>>> >>>>>>>>> SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" >>>> >>>> "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" >>>> >>>>>>>>> SecRule "&TX:dos_burst_time_slice" "@eq 0" >>>> >>>> "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.3.2,chain,skipAfter:END-DOS-PROTECTION-CHECKS" >>>> >>>>>>>>> SecRule "&TX:dos_counter_threshold" "@eq 0" "chain" >>>>>>>>> SecRule "&TX:dos_block_timeout" "@eq 0" >>>>>>>>> >>>>>>>>> SecAction >>>> >>>> "phase:5,id:980115,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3} >>>> >>>>>>>>> ,setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}" >>>>>>>>> >>>>>>>>> SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt >>>>>>>>> %{tx.inbound_anomaly_score_threshold}" >>>>>>>>> "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly >>>>>>>>> Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - >>>>>>>>> SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score >>>> >>>> },RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level >>>> scores: >>>> >>>>>> %{TX.ANOMALY_SCORE_PL1}, >>>>>> >>>>>>>> %{TX.ANOMALY_SCORE_PL2}, >>>>>>>> >>>>>>>>> %{TX.ANO >>>>>>>>> MALY_SCORE_PL3}, >>>> >>>> %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >>>> >>>>>>>>> #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >>>>>>>>> >>>>>>>>> SecAction >>>> >>>> "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.2,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx. >>>> >>>> outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" >>>> >>>>>>>>> SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt >>>>>>>>> %{tx.outbound_anomaly_score_threshold}" >>>> >>>> "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly >>>> >>>>>>>>> Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): >>>>>>>>> individual paranoia level scores: %{TX.OUTBO >>>>>>>>> UND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, >>>>>>>>> %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, >>>> >>>> %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.2,chain" >>>> >>>>>>>>> #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" >>>>>>>>> >>>>>>>>> --7337282c-Z-- >>>>>>>>> >>>>>>>>> Thanks for any help anyone can offer. >>>>>>>>> >>>>>>>>> Sent with Proton Mail secure email. >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> mod-security-users mailing list >>>>>>>> mod...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>>>>>>> SpiderLabs: >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> mod-security-users mailing list >>>>>>> mod...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>>> >>>>>> _______________________________________________ >>>>>> mod-security-users mailing list >>>>>> mod...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> >> >> >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Ervin H. <ai...@gm...> - 2022-11-13 08:44:47
|
hey, On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: > What’s the current paranoia level set to? Some levels require a Host header to be present. just for my 2 cents: rule 920280 checks that Host header is present or not, 920290 checks that it's not empty. Furthermore, rule 920350 checks that Host header can't be numeric (eg. an IPv4 or IPv6 format address). All of them activated on *PL1*, so we can say PL settings do not play here. https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 (See the "Paranoia level" field in the tables) a. |
|
From: <az...@po...> - 2022-11-13 08:59:25
|
Is that correct behavior as HTTP/1.0 does not require Host header to be present? Do we support HTTP/1.0 in CRS? Citát Ervin Hegedüs <ai...@gm...>: > hey, > > On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: >> What’s the current paranoia level set to? Some levels require a >> Host header to be present. > > just for my 2 cents: rule 920280 checks that Host header is > present or not, 920290 checks that it's not empty. > > Furthermore, rule 920350 checks that Host header can't be > numeric (eg. an IPv4 or IPv6 format address). > > All of them activated on *PL1*, so we can say PL settings do not > play here. > > https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 > > (See the "Paranoia level" field in the tables) > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Ervin H. <ai...@gm...> - 2022-11-13 09:52:33
|
Hi, On Sun, Nov 13, 2022 at 09:59:09AM +0100, az...@po... wrote: > Is that correct behavior as HTTP/1.0 does not require Host header to be > present? No, I think it's not. (I just answered for PL-related part of the mail) > Do we support HTTP/1.0 in CRS? well, I think it's a "hard" question, because we allow it: https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-901-INITIALIZATION.conf#L204 but looks like we do not care the special cases, eg. HTTP/1.0 does not need the Host header. Look at the RFC: https://www.rfc-editor.org/rfc/rfc2616.html#page-128 https://www.rfc-editor.org/rfc/rfc2616.html#section-19.6.1 The RFC says: "The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL. The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL." It does not say that "Host" is NOT mandatory in case of HTTP/1.0, just says "Host" is mandatory in case of HTTP/1.1. The quoted part above from RFC means that if you use a hosted server, clients needs to send "Host" to identify the resource - so, is it mandatory? :) Furthermore: I don't remember when SNI came (for HTTPS - I mean was HTTP/1.0 still used then?), but I think in case of using SNI, "Host" header needs, no matter what HTTP version you use (correct me if I'm wrong). Furthermore+: I found one more reference about HTTP/2. Looks like "Host" header isn't mandatory there too, becase the ":authority" header can replace it: https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.3 May be we can fix this. A bit similar problem the checking of CL header in case of HTTP/2 (where CL isn't mandatory neither): https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L223-L245 First of all, it would be fine to open an issue on GH, and add it to the list of monthly chat topics. a. |
|
From: Christian F. <chr...@ne...> - 2022-11-13 10:10:20
|
Yes, we do (-> tx.allowed_http_versions in crs-setup.conf), but 920280 triggers regardless of the HTTP version used. This is apparently not overly exact, but HTTP/1.0 is relatively rare and it's easy to do a rule exclusion. We could extend 920280 with a chained check for the version without too much cost, I guess. Best, Christian On Sun, Nov 13, 2022 at 09:59:09AM +0100, az...@po... wrote: > Is that correct behavior as HTTP/1.0 does not require Host header to be > present? Do we support HTTP/1.0 in CRS? > > > > Citát Ervin Hegedüs <ai...@gm...>: > > > hey, > > > > On Sat, Nov 12, 2022 at 06:33:02PM -0600, Arlen Walker wrote: > > > What’s the current paranoia level set to? Some levels require a Host > > > header to be present. > > > > just for my 2 cents: rule 920280 checks that Host header is > > present or not, 920290 checks that it's not empty. > > > > Furthermore, rule 920350 checks that Host header can't be > > numeric (eg. an IPv4 or IPv6 format address). > > > > All of them activated on *PL1*, so we can say PL settings do not > > play here. > > > > https://crsdoc.digitalwave.hu/?v=v3.3.2&f=1&_trg=107%2C106 > > > > (See the "Paranoia level" field in the tables) > > > > > > a. > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
Thanks for helping keep SourceForge clean.
X