search

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.56k stars 281 forks source link

New option that can disable modsecurity logging into nginx error log #327

Open JakubOnderka opened 3 months ago

JakubOnderka commented 3 months ago

Modsecurity module for nginx by default log the whole message in case request is blocked into nginx error log. But the same information is also logged into modsecurity audit logs, so logs can grow pretty fast in case of DDoS or scanning attacks.

This patch adds new option modsecurity_error_log that accepts on or off option. on is default that logs the whole message to error log, but it can be turned off.

It also adds new variable $modsecurity_status that contains status code from modsecurity.

airween commented 3 months ago

Hi @JakubOnderka,

thanks for this PR!

I'm sure this patch can be useful for many users, but please consider the following:

log the whole message in case request is blocked into nginx error log. But the same information is also logged into modsecurity audit logs

this depends on some circumstances. Eg. by default audit log contains the transaction related information only if the status code is 4XX or 5XX except 404 (see SecAuditLogRelevantStatus).

If someone uses Core Rule Set in anomaly scoring mode, and the transaction's score value does not reach the threshold, then those information will be lost (I mean the triggered rules).

Moreover consider if someone uses some IPS/IDS (eg. fail2ban) which uses only the error.log (as I know there is no any plugin for fail2ban which can use audit.log) - then this configuration could be unusable.

I support any new feature, but we must notice users what do they do.

so logs can grow pretty fast in case of DDoS or scanning attacks.

If the log level is lower than info in Nginx's configuration (eg. no level), then the result is almost the same (like this PR's result).

This patch adds new option modsecurity_error_log that accepts on or off option. on is default that logs the whole message to error log, but it can be turned off.

A side note, but hope others will be check this PR too and write their opinions: modsecurity_error_log refers to me that where is the log, I mean the path. May be some more informative name would be better - eg. modsecurity_use_error_log, or similar.

It also adds new variable $modsecurity_status that contains status code from modsecurity.

It would be nice to see a real example of its use. While you want to add a new configuration keyword and a new variable, please add their documentation into README.md, below the Usage section (you can do that within this PR - not a separated one). If you make the documentation for modsecurity_error_log (or the other name - we will see it), then please add the side effects too what I explained above.

And thanks again!