Closed lifeforms closed 8 years ago
I think this has been around before. Here is a dump of my audit log for ModSec 2.7.5 on Apache 2.4.18:
--30a40174-H--
Message: Warning. Pattern match "(?:(?<!\\w)(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:a. [file "/core-rules/modsecurity_crs_40_generic_attacks.conf"] [line "205"] [id "950005"] [rev "3"] [msg "Remote File Access Attempt"] [data "Matched Data: /etc/ found within ARGS:a: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]
Message: Warning. Operator LT matched 500 at TX:inbound_anomaly_score. [file "/core-rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): Remote File Access Attempt"]
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "core.c"] [line 4433] [level 6] AH00128: File does not exist: %s
Stopwatch: 1457442539179655 5578 (- - -)
Stopwatch2: 1457442539179655 5578; combined=3790, p1=645, p2=1952, p3=82, p4=303, p5=807, sr=147, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
So if this is a bug, then it is an old one. Or one introduced by a fairly recent apache version.
I'm seeing lots of these:
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
In addition to this, I see many: Message: Cannot add scalar value without an associated key
Prior to the Apache-Error above. There seems to be a 1:1 mapping, and have started since running 2.9.1 (unfortunately I was running 2.7.3 prior to that, so can't comment exactly what build introduced this behavior.
@Bridavis, I think the messages populated with %s etc. date back at least to 2.7.5, but nobody noticed. It may also depend on the apache version.
We see that scalar value message for the first time. Could you elaborate a bit. Ideally minimal config and request to provoke the message. That would help to reproduce and isolate.
@dune73 : Server version: Apache/2.4.6 (CentOS)
I will send you a copy of the log offline.
Attaching log here in case anyone has seen this before. This doesn't seem to be an impacting issue, other than filling up the logs, but I'd like to confirm. modsec_audit_scaler.txt
seeing the same here: FreeBSD 9.3-RELEASE-p39 / Apache24 / modsec 2.9.1
the reason is that the error log format is used instead of the formatted error log message
I have created a pull request for this problem: https://github.com/SpiderLabs/ModSecurity/pull/1216
Hi @arminabf, Thank you for the patch.
@dune73: Any input on the patch ?
-> comments with the PR.
@zimmerle as #1216 is closed, should this issue be closed as well?
Hi @arminabf, that is correct! thanks for remind me.
Hello everyone,
I have deployed a waf on cloud (azure) app gateway waf,
I have a false positive ( CANNOT ADD SCALAR VALUE WITHOUT AN ASSOCIETED KEY)
I don't know why waf detect a request as a bad traffic,
this is the totaly request:
`
POST https://edu-pp.tactileo.fr/profile/internal/permissions HTTP/1.1
cache-control: no-cache
Accept: application/json
Content-Type: application/json
Authorization: Bearer
[ "teacher" ] `
Hello @mrahmatellah, is your FP related to this issue in any way?
Hi @mrahmatellah,
The error message you mentioned "Cannot add scalar value without an associated key" usually happens when the JSON parser can't associate a key to a given JSON value as the code normally expects a key/value format (e.g. [profession: "teacher"]) data for JSON and your request only contains the value ([ "teacher" ]).
Still, as far as I can remember this error message shouldn't be causing a false positive... Unless maybe if this issue is causing the request body parser to fail and triggering rule 200002...
If the problem persists, please open a new issue for proper tracking and provide ModSecurity logs because as @dune73 have mentioned we can't see an explicit link to your problem with this issue.
thank you very much for this answer,
i will open a ne issue (tomorrow i shall see that with our developpers team, if they can't resolve that, i shall open a new issue.
Thank you for your answer again !!
With ModSecurity 2.9.1RC1 on FreeBSD, for every ModSecurity log line in the audit log, another line
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
line is logged. (So if there are three ModSecurity events, there are threeApache-Error
lines)This looks weird and increases the site of the audit logs.
Reproduce:
Apache-Error
line for every ModSecurity log entry inH
sectionExample: