v3.0-rc1 just gives warnings where it should block the request

[quenenni]

Server: Debian Wheezy PHP Version 5.4.45-0+deb7u3 Apache-npm-itk v2.2.22 libapache2-mod-security2: v2.8.0-2~bpo70+1 Modsec Crs: v3.0.0-rc1

---

It's very strange. Modsec seems to works fine. I have plenty of Warnings on attacks in my logs, but even if the rule triggered has 'block' as param, the request isn't blocked.. Only warnings. The custom rules I created block the requests when asked.

I.E.: +- 25 requests like this one [data "Matched Data: /etc/passwd found within ARGS:id: cat /etc/passwd"] triggered the rule id:930120, rule that should block the request.. but no, just a warning.

My paranoia level is at 4 (setvar:tx.paranoia_level=4").

What did I miss? Is there an another option to set? How can I have modsec blocks the requests it should block?

I attached the log of a request to the ticket: event_29140.txt

[csanders-git]

have you made sure your secruleengine is 'on' and that your default action is disruptive to block? additionally, if you're using anomaly mode, did you enable that explicitly in the setup.conf?

[lifeforms]

@csanders-git I think this might be just the same problem from #373 and #364. It looks definitely like the setup variables are not set in time.

@quenenni As in your other report, please replace all phase:request with phase:1 in your setup.conf and let us know if this helps!

[quenenni]

@lifeforms : I'll do that asap and report back here (tomorrow hopefully).

@csanders-git : My modsecurity.conf:

SecRuleEngine On
SecRequestBodyAccess On

SecRule REQUEST_HEADERS:Content-Type "(?:text|application)/xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

SecRule REQUEST_HEADERS:Content-Type "application/json" \
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 1124288
SecRequestBodyLimitAction Reject

SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:412,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:412, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,status:412,msg:'Multipart parser detected a possible unmatched boundary.'"

SecPcreMatchLimit 2000
SecPcreMatchLimitRecursion 2000

SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200005',phase:2,t:none,deny,status:412,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 2248288
SecResponseBodyLimitAction ProcessPartial

SecTmpDir /tmp/
SecDataDir /tmp/

SecUploadDir /var/lib/mod_security/

SecUploadKeepFiles RelevantOnly
SecUploadFileLimit 10
SecUploadFileMode 0644

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogDirMode 0777
SecAuditLogFileMode 0666
SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/modsec/data
SecAuditLog /var/log/modsec/modsec-index

SecArgumentSeparator &
SecCookieFormat 0

SecUnicodeMapFile unicode.mapping 20127

SecStatusEngine On

SecDefaultAction "phase:2,deny,status:412,log,auditlog"

SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat

My modsecurity_crs_10_setup.conf

SecComponentSignature "OWASP_CRS/3.0.0"

SecDefaultAction "phase:1,status:412,deny,log"
SecDefaultAction "phase:2,status:412,deny,log"

SecAction \
 "id:'900001',\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.critical_anomaly_score=5,\
  setvar:tx.error_anomaly_score=4,\
  setvar:tx.warning_anomaly_score=3,\
  setvar:tx.notice_anomaly_score=2,\
  setvar:tx.block_duration=300"

SecAction \
 "id:'900002',\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.anomaly_score=0,\
  setvar:tx.sql_injection_score=0,\
  setvar:tx.xss_score=0,\
  setvar:tx.rfi_score=0,\
  setvar:tx.lfi_score=0,\
  setvar:tx.rce_score=0,\
  setvar:tx.php_injection_score=0,\
  setvar:tx.http_violation_score=0,\
  setvar:tx.session_fixation_score=0,\
  setvar:tx.inbound_anomaly_score=0,\
  setvar:tx.outbound_anomaly_score=0"

SecAction \
 "id:'900003',\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.sql_injection_score_threshold=15,\
  setvar:tx.xss_score_threshold=15,\
  setvar:tx.rfi_score_threshold=5,\
  setvar:tx.lfi_score_threshold=5,\
  setvar:tx.rce_score_threshold=5,\
  setvar:tx.command_injection_score_threshold=5,\
  setvar:tx.php_injection_score_threshold=5,\
  setvar:tx.http_violation_score_threshold=5,\
  setvar:tx.trojan_score_threshold=5,\
  setvar:tx.session_fixation_score_threshold=5,\
  setvar:tx.inbound_anomaly_score_threshold=5,\
  setvar:tx.outbound_anomaly_score_threshold=4"

SecAction \
 "id:'900023',\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.paranoia_level=4"

SecAction \
  "id:'900024', \
  phase:1, \
  t:none, \
  setvar:tx.sql_error_match=0, \
  setvar:tx.msaccess=1, \
  setvar:tx.db2=1, \
  setvar:tx.emc=1, \
  setvar:tx.firebird=1, \
  setvar:tx.frontbase=1, \
  setvar:tx.hsqldb=1, \
  setvar:tx.informix=1, \
  setvar:tx.ingres=1, \
  setvar:tx.interbase=1, \
  setvar:tx.maxdb=1, \
  setvar:tx.mssql=1, \
  setvar:tx.mysql=1, \
  setvar:tx.oracle=1, \
  setvar:tx.pgsql=1, \
  setvar:tx.sqlite=1, \
  setvar:tx.sybase=1, \
  nolog, \
  pass"

SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat

SecAction \
 "id:'900022',\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.high_risk_country_codes=UA RU CN MD BY KZ KR TR ID YU LT EG RO BG PK MY'"

SecHttpBlKey xxxxxxxxxx
SecAction "id:'900025', \
  phase:1, \
  nolog,\
  pass,\
  t:none,\
  setvar:tx.block_search_ip=1, \
  setvar:tx.block_suspicious_ip=1, \
  setvar:tx.block_harvester_ip=1, \
  setvar:tx.block_spammer_ip=1"

SecAction \
 "id:'900006',\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.max_num_args=255"

SecAction \
 "id:'900012',\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
  setvar:'tx.static_resources=jpg|jpeg|png|gif|js|css|ico|tiff|ods|fods|odt|fodt|odp|fodp|odg|docx|xlsx|rtf|csv|ppt|pptx|pps|ppsx|ogg|ogm|mp4|flac|ape|wav|mkv|mpg|mpeg|avi|flv|swf|wma', \
  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain', \
  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"

SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
  "id:'900018', \
  phase:1, \
  t:none,t:sha1,t:hexEncode, \
  setvar:tx.ua_hash=%{matched_var}, \
  nolog, \
  pass"

SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
  "id:'900019', \
  phase:1, \
  t:none, \
  capture, \
  setvar:tx.real_ip=%{tx.1}, \
  nolog, \
  pass"

SecRule &TX:REAL_IP "!@eq 0" \
  "id:'900020', \
  phase:1, \
  t:none, \
  initcol:global=global, \
  initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
  nolog, \
  pass"

SecRule &TX:REAL_IP "@eq 0" \
  "id:'900021', \
  phase:1, \
  t:none, \
  initcol:global=global, \
  initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
  setvar:tx.real_ip=%{remote_addr}, \
  nolog, \
  pass"

SecCollectionTimeout 600

[quenenni]

The changes I've made for #373 seems to have been also the solution for the problem reported here. I can see blocked requests from modsec rules and not only my custom rules.

Thanks to both of you to have taken the time to help me.

[csanders-git]

@quenenni i'm glad we got it in the end :)