Is there someone meet this problem that modsec_audit.log not show when detect 403 forbedden

[xx-zhang]

have you see the modsec_audit.log not show. such as

docker run -it --rm --name=ngx  -p 8000:80  owasp/modsecurity-crs:3.3-nginx

docker exec -it  ngx  tail -f /var/log/modsec_audit.log

and then we can see if we curl http://192.168.33.118:8080/?page=../../test_rfi , then 403 forbben but the modsec_audit log not show .... whats the mater ?.

best with to you.

[xx-zhang]

i have make modsecurity-nginx v1.0.1 -> 1.0.0 and solve that problem. but i set detectOnly no use

{"transaction":{"client_ip":"192.168.33.1","time_stamp":"Thu Sep 17 14:58:45 2020","server_id":"729f37d2889d305a54228dc5b632fcc73da051b3","client_port":27298,"host_ip":"192.168.33.1","host_port":8080,"unique_id":"160032592533.438534","request":{"method":"GET","http_version":1.1,"uri":"/?page=../../k111","body":"","headers":{"Host":"192.168.33.13:8080","Connection":"keep-alive","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Accept-Encoding":"gzip, deflate","Accept-Language":"zh-CN,zh;q=0.9"}},"response":{"http_code":403,"headers":{"Server":"nginx","Date":"Thu, 17 Sep 2020 06:58:45 GMT","Content-Length":"548","Content-Type":"text/html","Connection":"keep-alive"}},"producer":{"modsecurity":"ModSecurity v3.0.3 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"DetectionOnly","components":["OWASP_CRS/3.3.0\""]},"messages":[{"message":"Path Traversal Attack (/../)","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5 (400 characters omitted)' against variable `ARGS:page' (Value: `../../k111' )","reference":"o9,4v4,17o2,4v11,10","ruleId":"930100","file":"/apps/nginx/conf/modsec/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf","lineNumber":"29","data":"Matched Data: /../ found within ARGS:page: ../../k111","severity":"2","ver":"OWASP_CRS/3.3.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-lfi","paranoia-level/1","OWASP_CRS","capec/1000/255/153/126"],"maturity":"0","accuracy":"0"}}]}}

[xx-zhang]

[zimmerle]

Hi @xx-zhang,

What is the version of yours libModSecurity? Have you enabled the AuditLog?

[xx-zhang]

@zimmerle using ur owasp docker . the docker image owasp/modsecurity-crs:3.3-nginx ;

all the latest . modsecurity 304 modsecurity-nginx 1.0.1 nginx 1.17.9 crs330

[xx-zhang]

sorry @zimmerle i meet the second problem is modsecurity304, nginx1.18, modsecurity-nginx1.0.0 . thank you

[xx-zhang]

redirect https://github.com/SpiderLabs/ModSecurity/issues/2237