Wrong? file values in Nginx error log

[Ricardolaponder]

Hi,

I am setting up Modsecurity with nginx ingress controller on Kubernetes to send events to our SIEM. Whenever Modsecurity intervenes a request, nginx throws the following error:

2020/12/17 15:40:24 [error] 191#191: *650 [client 10.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.10"] [uri "/"] [unique_id "d2d014613a174e35e48789650559ea84"] [ref ""], client: 10.10.10.20, server: test.test.local, request: "GET /?q="><script>alert(1)</script> HTTP/2.0", host: "test.test.local"

In the Error message the value of File is always /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf. The corresponding even in the Audit log from Modsecurity has 4 messages and looks like this:

ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "37"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:q: "><script>alert(1)</script>"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.10.10.10"] [uri "/"] [unique_id "8ef393b56194a7c174eb2087fdff06c2"] [ref "v8,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<script[^>]*>[\s\S]*?' against variable `ARGS:q' (Value: `"><script>alert(1)</script>' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "63"] [id "941110"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:q: "><script>alert(1)</script>"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.10.10.10"] [uri "/"] [unique_id "8ef393b56194a7c174eb2087fdff06c2"] [ref "o2,8v8,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3146 characters omitted)' against variable `ARGS:q' (Value: `"><script>alert(1)</script>' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "180"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:q: "><script>alert(1)</script>"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.10.10.10"] [uri "/"] [unique_id "8ef393b56194a7c174eb2087fdff06c2"] [ref "o2,7o18,8v8,27t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.10.10.10"] [uri "/"] [unique_id "8ef393b56194a7c174eb2087fdff06c2"] [ref ""]

I am not only interested in [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] as a value but also [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]. I've looked in the config/ documentation but haven't found a way to output all the messages in the error logging or just to show me a different value than REQUEST-949-BLOCKING-EVALUATION. I've seen various blogs where they do see the values I want, example: https://notsosecure.com/continuous-security-monitoring/

Am I missing something like a config setting? or should I log things differently?

[zimmerle]

Hi @Ricardolaponder

What is logged on Nginx error log is why a disruptive action was taken -- the reason the request was blocked. In your case, the scoring was above a certain threshold, categorizing the request as malicious there were making it blocked. The other messages are the chain of information on why the score was so high. The former is likely to be obtained from the audit logs.

[Ricardolaponder]

Hi @zimmerle,

Thanks, that makes sense. I hoped that there's a way to change the logging to the format in the example above. For now I will develop our dashboarding with the audit logs only.

[zimmerle]

A rule can set variables for further usage. A rule match can set a variable that later will be used to compose a rule message that can somewhat state why a score is bigger than a particular threshold. Within ModSecurity it is possible to do so. Maybe you want to have an issue on the ruleset, so they can have it working accordingly.