martinhsv
commented
4 years ago Hi @muradmomani ,
I tried very long content for modsecurity_rules in a basic nginx deployment. I was able to precipitate an obvious length-related failure. In my case a message appeared in nginx's error.log at startup: '[emerg] ... : too long parameter, ...'
This error, at least, seems to be related to a limit within nginx code itself rather that ModSecurity or ModSecurity-nginx. See https://github.com/nginx/nginx/blob/master/src/core/ngx_conf_file.c
The length limit here is bytes rather than lines -- specifically, 4096 bytes. Which is approximately the length of the single-quoted parameter that you have pasted above, if you remove a couple lines.
I think that nginx limit is very likely the limit that you have encountered.
Hi,
I'm trying to add the following rules in modsecurity_rules directive, but getting them truncated and if remove the last four rules then they all be applied, It seems it is a limitation issue in modsecurity_rules directive.
This is following Issue: https://github.com/kubernetes/ingress-nginx/issues/5673
`SecRuleEngine On
SecRequestBodyLimit 13107200
SecRequestBodyLimitAction ProcessPartial SecAction "id:900000, phase:1, nolog, pass, t:none, setvar:tx.paranoia_level=4" SecAction "id:900110,phase:3,pass,nolog, setvar:tx.inbound_anomaly_score_threshold=5, setvar:tx.outbound_anomaly_score_threshold=4" SecAction "id:980145,phase:5,pass,t:none,log,noauditlog,msg:'Incoming and Outgoing Score: %{TX.ANOMALY_SCORE} %{TX.OUTBOUND_ANOMALY_SCORE}'" SecRuleRemoveById 980130 SecRuleRemoveById 942432 SecRuleRemoveById 920273
SecRuleUpdateTargetById 942440 "!ARGS:name"
SecRuleUpdateTargetById 942421 "!ARGS:name"
SecAction "phase:2,nolog,pass,id:10026,ctl:ruleRemoveTargetById=942421;!ARGS:name"
SecAction "phase:2,nolog,pass,id:10028,ctl:ruleRemoveTargetById=942440;!ARGS:name"
SecAction "phase:2,nolog,pass,id:10026,ctl:ruleRemoveTargetById=942421;!ARGS:name"
SecAction "phase:2,nolog,pass,id:10028,ctl:ruleRemoveTargetById=942440;!ARGS:name"
SecRule REQUEST_URI "@beginswith /uri" "phase:1,chain,id:10000,log,msg:'to handle the multipart/form-data at url : /uri',ctl:requestBodyAccess=On" SecRule REQUEST_HEADERS:Content-Type "@contains multipart/form-data" "t:none" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10004,ctl:ruleRemoveTargetById=920273;ARGS" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10014,ctl:ruleRemoveById=920300;" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10022,ctl:ruleRemoveTargetById=942431;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10024,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10026,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10028,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10030,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10032,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10034,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10036,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10038,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10040,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10042,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10044,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10046,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10048,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10050,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10052,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10054,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10056,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10058,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10060,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10062,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10064,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10066,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10068,ctl:ruleRemoveTargetById=942430;ARGS:name" SecRule REQUEST_URI "@beginswith /uri" "phase:2,nolog,pass,id:10070,ctl:ruleRemoveTargetById=942430;ARGS:name" Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf `