[enhancement] Modsecurity logs are not easy to read

Hi, I'm wondering why bunkerized-nginx modesecurity log is not verbose as usual modsecurity ?

(---H--- section is never redacted)

it's only apear when SecRuleEngine DetectionOnly is placed in modsec-confs of a site.

Bunkerized modsecurity audit log, most of the time i don't know why the request have been blocked by modesecurity

---tlWGFxtQ---A--
[29/Dec/2020:00:00:14 +0100] 160919641435.018878 82.64.132.39 0 192.168.0.150 10443
---tlWGFxtQ---B--
POST /api/v4/jobs/request HTTP/1.1
User-Agent: gitlab-runner 13.7.0 (13-7-stable; go1.13.8; linux/amd64)
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
Content-Length: 592
X-Forwarded-For: 82.64.132.39
Accept: application/json
CF-RAY: 608ee5758e1eee0b-CDG
CF-IPCountry: FR
Host: gitlab.mydomain
Accept-Encoding: gzip
Connection: Keep-Alive
CDN-Loop: cloudflare
Content-Type: application/json
CF-Request-ID: 074d2dbd790000ee0bfc29b000000001
CF-Connecting-IP: 82.64.132.39

---tlWGFxtQ---C--
{"info":{"name":"gitlab-runner","version":"13.7.0","revision":"943fc252","platform":"linux","architecture":"amd64","executor":"docker","shell":"bash","features":{"variables":true,"image":true,"services":true,"artifacts":true,"cache":true,"shared":false,"upload_multiple_artifacts":true,"upload_raw_artifacts":true,"session":true,"terminal":true,"refspecs":true,"masking":true,"proxy":false,"raw_variables":true,"artifacts_exclude":true,"multi_build_steps":true,"trace_reset":true,"trace_checksum":true,"trace_size":true,"vault_secrets":true,"cancelable":true}},"token":"XXXXXXXX"}

---tlWGFxtQ---F--
HTTP/1.1 502
X-Frame-Options: DENY
X-Powered-By: 
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Content-Type: text/html
Content-Length: 150
X-AspNet-Version: 
Date: Mon, 28 Dec 2020 23:00:14 GMT
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
X-AspNetMvc-Version: 
Server: 
Server: 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()

---tlWGFxtQ---H--

---tlWGFxtQ---Z--

---Mn93sDoA---A--
[29/Dec/2020:00:00:36 +0100] 160919643652.345588 82.64.132.39 0 192.168.0.150 10443
---Mn93sDoA---B--
POST /api/v4/jobs/request HTTP/1.1
User-Agent: gitlab-runner 13.7.0 (13-7-stable; go1.13.8; linux/amd64)
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
Content-Length: 592
X-Forwarded-For: 82.64.132.39
Accept: application/json
CF-RAY: 608ee5ffc884ee0b-CDG
CF-IPCountry: FR
Host: gitlab.mydomain
Accept-Encoding: gzip
Connection: Keep-Alive
CDN-Loop: cloudflare
Content-Type: application/json
CF-Request-ID: 074d2e13dc0000ee0b199ef000000001
CF-Connecting-IP: 82.64.132.39

---Mn93sDoA---C--
{"info":{"name":"gitlab-runner","version":"13.7.0","revision":"943fc252","platform":"linux","architecture":"amd64","executor":"docker","shell":"bash","features":{"variables":true,"image":true,"services":true,"artifacts":true,"cache":true,"shared":false,"upload_multiple_artifacts":true,"upload_raw_artifacts":true,"session":true,"terminal":true,"refspecs":true,"masking":true,"proxy":false,"raw_variables":true,"artifacts_exclude":true,"multi_build_steps":true,"trace_reset":true,"trace_checksum":true,"trace_size":true,"vault_secrets":true,"cancelable":true}},"token":"XXXXXXX"}

---Mn93sDoA---F--
HTTP/1.1 502
X-Frame-Options: DENY
X-Powered-By: 
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Content-Type: text/html
Content-Length: 150
X-AspNet-Version: 
Date: Mon, 28 Dec 2020 23:00:36 GMT
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
X-AspNetMvc-Version: 
Server: 
Server: 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()

---Mn93sDoA---H--

---Mn93sDoA---Z--

---q7WspInc---A--
[29/Dec/2020:00:00:22 +0100] 160919642218.006842 2a01:e0a:169:7f90::d73a:9b9d 0 192.168.0.150 10443
---q7WspInc---B--
PROPFIND /remote.php/dav/files/thelittlefireman/ HTTP/1.1
CF-Visitor: {"scheme":"https"}
Content-Length: 105
X-Forwarded-For: 2a01:e0a:169:7f90::d73a:9b9d
CF-IPCountry: FR
Host: nextcloud.mydomain
Accept-Encoding: gzip
Cookie: __cfduid=XXXXXXXXX; oc_sessionPassphrase=XXXXXX; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocyau81zl2y2=XXXX
Depth: 0
X-Forwarded-Proto: https
User-Agent: Mozilla/5.0 (Linux) mirall/3.1.1-20201225.075704.75c329f4f-1.0~groovy1 (Nextcloud)
Connection: Keep-Alive
CDN-Loop: cloudflare
Authorization: Basic XXXXXXXXXXXXXX=
CF-RAY: 608ee5a9ec1c2c92-LHR
Accept: */*
Content-Type: text/xml; charset=utf-8
X-Request-ID: 3f165a19-81e1-4e3c-b14d-2a4a6ea00737
Accept-Language: fr-FR,en,*
CF-Request-ID: 074d2dde3100002c92d1186000000001
CF-Connecting-IP: 2a01:e0a:169:7f90::d73a:9b9d

---q7WspInc---C--
<?xml version="1.0" ?>
<d:propfind xmlns:d="DAV:">
  <d:prop>
    <d:getetag/>
  </d:prop>
</d:propfind>

---q7WspInc---F--
HTTP/1.1 502
X-Frame-Options: DENY
X-Powered-By: 
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Content-Type: text/html
Content-Length: 150
X-AspNet-Version: 
Date: Mon, 28 Dec 2020 23:00:39 GMT
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
X-AspNetMvc-Version: 
Server: 
Server: 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()

---q7WspInc---H--

---q7WspInc---Z--

---tlWGFxtQ---A--
[29/Dec/2020:00:00:22 +0100] 160919642257.459901 2a01:e0a:169:7f90::d73a:9b9d 0 192.168.0.150 10443
---tlWGFxtQ---B--
GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1
If-None-Match: d751713988987e9331980363e24189ce
OCS-APIREQUEST: true
CF-Visitor: {"scheme":"https"}
X-Forwarded-For: 2a01:e0a:169:7f90::d73a:9b9d
CF-IPCountry: FR
Host: nextcloud.mydomain
Accept-Encoding: gzip
Cookie: __cfduid=xxxxxxx; oc_sessionPassphrase=xxxxxxx; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocyau81zl2y2=xxxxxxx
X-Forwarded-Proto: https
User-Agent: Mozilla/5.0 (Linux) mirall/3.1.1-20201225.075704.75c329f4f-1.0~groovy1 (Nextcloud)
Connection: Keep-Alive
CDN-Loop: cloudflare
Authorization: Basic xxxxxxxx=
CF-RAY: 608ee5a9ed01ce27-LHR
Accept: */*
X-Request-ID: d8076c19-5ae1-4bf4-afcb-18c1740f9b13
Accept-Language: fr-FR,en,*
CF-Request-ID: 074d2dde300000ce2739b81000000001
CF-Connecting-IP: 2a01:e0a:169:7f90::d73a:9b9d

---tlWGFxtQ---F--
HTTP/1.1 502
X-Frame-Options: DENY
X-Powered-By: 
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Content-Type: text/html
Content-Length: 150
X-AspNet-Version: 
Date: Mon, 28 Dec 2020 23:00:39 GMT
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
X-AspNetMvc-Version: 
Server: 
Server: 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()

---tlWGFxtQ---H--

---tlWGFxtQ---Z--

---lTYy9qaE---A--
[29/Dec/2020:00:00:52 +0100] 160919645279.473571 2a01:e0a:169:7f90::d73a:9b9d 0 192.168.0.150 10443
---lTYy9qaE---B--
PROPFIND /remote.php/dav/files/thelittlefireman/ HTTP/1.1
CF-Visitor: {"scheme":"https"}
Content-Length: 105
X-Forwarded-For: 2a01:e0a:169:7f90::d73a:9b9d
CF-IPCountry: FR
Host: nextcloud.mydomain
Accept-Encoding: gzip
Cookie: __cfduid=xxxxxxx; oc_sessionPassphrase=xxxxxx; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocyau81zl2y2=xxxxxxx; cf_ob_info=502:xxxx:LHR; cf_use_ob=443
Depth: 0
X-Forwarded-Proto: https
User-Agent: Mozilla/5.0 (Linux) mirall/3.1.1-20201225.075704.75c329f4f-1.0~groovy1 (Nextcloud)
Connection: Keep-Alive
CDN-Loop: cloudflare
Authorization: Basic xxxxxxxx=
CF-RAY: 608ee6657dfdce27-LHR
Accept: */*
Content-Type: text/xml; charset=utf-8
X-Request-ID: b7fdc335-f1f0-4ec2-aabf-1c37f4acfd91
Accept-Language: fr-FR,en,*
CF-Request-ID: 074d2e53670000ce27659a8000000001
CF-Connecting-IP: 2a01:e0a:169:7f90::d73a:9b9d

---lTYy9qaE---C--
<?xml version="1.0" ?>
<d:propfind xmlns:d="DAV:">
  <d:prop>
    <d:getetag/>
  </d:prop>
</d:propfind>

---lTYy9qaE---F--
HTTP/1.1 502
X-Frame-Options: DENY
X-Powered-By: 
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Content-Type: text/html
Content-Length: 150
X-AspNet-Version: 
Date: Mon, 28 Dec 2020 23:00:52 GMT
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
X-AspNetMvc-Version: 
Server: 
Server: 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()

---lTYy9qaE---H--

---lTYy9qaE---Z--

---7gPFqyx8---A--
[29/Dec/2020:00:01:36 +0100] 160919649645.400873 82.64.132.39 0 192.168.0.150 10443
---7gPFqyx8---B--
POST /api/v4/jobs/request HTTP/1.1
User-Agent: gitlab-runner 13.7.0 (13-7-stable; go1.13.8; linux/amd64)
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
Content-Length: 592
X-Forwarded-For: 82.64.132.39
Accept: application/json
CF-RAY: 608ee7773df8ee0b-CDG
CF-IPCountry: FR
Host: gitlab.mydomain
Accept-Encoding: gzip
Connection: Keep-Alive
CDN-Loop: cloudflare
Content-Type: application/json
CF-Request-ID: 074d2efe7f0000ee0be72d9000000001
CF-Connecting-IP: 82.64.132.39

---7gPFqyx8---C--
{"info":{"name":"gitlab-runner","version":"13.7.0","revision":"943fc252","platform":"linux","architecture":"amd64","executor":"docker","shell":"bash","features":{"variables":true,"image":true,"services":true,"artifacts":true,"cache":true,"shared":false,"upload_multiple_artifacts":true,"upload_raw_artifacts":true,"session":true,"terminal":true,"refspecs":true,"masking":true,"proxy":false,"raw_variables":true,"artifacts_exclude":true,"multi_build_steps":true,"trace_reset":true,"trace_checksum":true,"trace_size":true,"vault_secrets":true,"cancelable":true}},"token":"XXXXXX"}

---7gPFqyx8---F--
HTTP/1.1 502
X-Frame-Options: DENY
X-Powered-By: 
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Content-Type: text/html
Content-Length: 150
X-AspNet-Version: 
Date: Mon, 28 Dec 2020 23:01:36 GMT
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
X-AspNetMvc-Version: 
Server: 
Server: 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()

---7gPFqyx8---H--

---7gPFqyx8---Z--

---BPhGQAsZ---A--
[29/Dec/2020:00:01:59 +0100] 160919651932.190637 192.168.0.254 37662 192.168.0.150 10443
---BPhGQAsZ---B--
GET /notifications/hub?access_token=XXXXXXXXX HTTP/1.1
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: experimentation_subject_id=XXXXXXXX
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Origin: chrome-extension://nngceckbapebfimnlniiiahkandclblb
Upgrade: websocket
Cache-Control: no-cache
Pragma: no-cache
Connection: Upgrade
Host: bitwarden.mydomain
Sec-WebSocket-Key: /varXXXXXXXXX
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

---BPhGQAsZ---F--
HTTP/1.1 400
Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';
X-Frame-Options: DENY
Referrer-Policy: no-referrer
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
Date: Mon, 28 Dec 2020 23:01:59 GMT
X-XSS-Protection: 1; mode=block
Connection: keep-alive
X-Powered-By: 
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 2
Server: 
Server: 
Cache-Control: no-cache, no-store, max-age=0
Strict-Transport-Security: max-age=31536000
Access-Control-Allow-Origin: chrome-extension://nngceckbapebfimnlniiiahkandclblb
X-AspNet-Version: 
X-AspNetMvc-Version: 
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vibrate=(), vr=()

---BPhGQAsZ---H--

To compare a mod security instance that i plan to replace by bunkerizerd :

---oKQGPk1S---A--
[01/Dec/2020:23:09:25 +0100] 160686056552.374133 82.65.170.30 0 192.168.0.150 8443
---oKQGPk1S---B--
POST /webapi/entry.cgi HTTP/1.1
CF-Connecting-IP: 82.65.170.30
CF-Request-ID: 06c1f38491000068cafe14d000000001
Accept-Encoding: gzip
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
sec-fetch-site: same-origin
referer: https://syno.mydomain/
sec-fetch-dest: empty
CF-Visitor: {"scheme":"https"}
origin: https://syno.mydomain
x-syno-token: xxxx
accept: */*
CF-RAY: 5fb021e749bb68ca-CDG
sec-fetch-mode: cors
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Connection: Keep-Alive
X-Forwarded-For: 82.65.170.30
X-Forwarded-Proto: https
Content-Length: 89
cookie: XXXXXXXXX
Host: syno.mydomain
CF-IPCountry: FR
x-requested-with: XMLHttpRequest
content-type: application/x-www-form-urlencoded; charset=UTF-8
CDN-Loop: cloudflare

---oKQGPk1S---D--

---oKQGPk1S---F--
HTTP/1.1 200
Expires: 0
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Strict-Transport-Security: max-age=15768000
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
Connection: keep-alive
Content-Encoding: gzip
Keep-Alive: timeout=60
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Content-Type: application/json; charset="UTF-8"
Date: Tue, 01 Dec 2020 22:09:25 GMT
Server: nginx
Referrer-Policy: same-origin

---oKQGPk1S---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^[\W\d]+\s*?(?:(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nve (1040 characters omitted)' against variable `ARGS:action' (Value: `"load"' ) [file "/usr/local/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "425"] [id "942360"] [rev ""] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: "load found within ARGS:action: "load""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.0.150"] [uri "/webapi/entry.cgi"] [unique_id "160686056552.374133"] [ref "o0,5v1434,6t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.0.150"] [uri "/webapi/entry.cgi"] [unique_id "160686056552.374133"] [ref ""]

---oKQGPk1S---I--

---oKQGPk1S---J--

---oKQGPk1S---Z--

---VkGO3oYF---A--
[01/Dec/2020:23:09:30 +0100] 160686057044.553456 82.65.170.30 0 192.168.0.150 8443
---VkGO3oYF---B--
POST /webapi/entry.cgi HTTP/1.1
CF-Connecting-IP: 82.65.170.30
CF-Request-ID: 06c1f3989d000068cae039f000000001
Accept-Encoding: gzip
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
sec-fetch-site: same-origin
referer: https://syno.mydomain/
sec-fetch-dest: empty
CF-Visitor: {"scheme":"https"}
origin: https://syno.mydomain
x-syno-token: xxxxxxx
accept: */*
CF-RAY: 5fb022076e1f68ca-CDG
sec-fetch-mode: cors
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Connection: Keep-Alive
X-Forwarded-For: 82.65.170.30
X-Forwarded-Proto: https
Content-Length: 89
cookie: xxxxxxxxx
Host: syno.mydomain
CF-IPCountry: FR
x-requested-with: XMLHttpRequest
content-type: application/x-www-form-urlencoded; charset=UTF-8
CDN-Loop: cloudflare

---VkGO3oYF---D--

---VkGO3oYF---F--
HTTP/1.1 200
Expires: 0
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Strict-Transport-Security: max-age=15768000
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
Connection: keep-alive
Content-Encoding: gzip
Keep-Alive: timeout=60
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Content-Type: application/json; charset="UTF-8"
Date: Tue, 01 Dec 2020 22:09:30 GMT
Server: nginx
Referrer-Policy: same-origin

---VkGO3oYF---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:^[\W\d]+\s*?(?:(?:alter\s*(?:a(?:(?:pplication\s*rol|ggregat)e|s(?:ymmetric\s*ke|sembl)y|u(?:thorization|dit)|vailability\s*group)|c(?:r(?:yptographic\s*provider|edential)|o(?:l(?:latio|um)|nve (1040 characters omitted)' against variable `ARGS:action' (Value: `"load"' ) [file "/usr/local/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "425"] [id "942360"] [rev ""] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: "load found within ARGS:action: "load""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.0.150"] [uri "/webapi/entry.cgi"] [unique_id "160686057044.553456"] [ref "o0,5v1434,6t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.0.150"] [uri "/webapi/entry.cgi"] [unique_id "160686057044.553456"] [ref ""]

bunkerity / bunkerweb

[enhancement] Modsecurity logs are not easy to read #65