search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
7.7k stars 1.54k forks source link

How to send an email attack is detected by ModSec. #2165

Closed MyAlien closed 4 years ago

MyAlien commented 4 years ago

Hello, I am a beginner on ModSec. How to send an email as soon as an attack is detected by ModSec.

For all ModSec rules.

I tried to add exec: /local/script.sh Then restart Nginx but error every time.

Thank you .

zimmerle commented 4 years ago

Hi @MyAlien,

I would suggest you create a separated script, to go over the logs and alert you whenever convenient.

Putting the exec inside ModSecurity to send an email could lead to a performance issue.

Apart from that, what is the error message that you are getting? What is your ModSecurity version?

MyAlien commented 4 years ago

ModSecurity version v3 .

Do you have a solution to be notified by email with the details of the attack?

Thank you .

MyAlien commented 4 years ago

OWASP ModSecurity CRS v3.2.0

zimmerle commented 4 years ago

Right, that is not your ModSecurity version, but the ruleset that you have loaded.

What is your webserver?

MyAlien commented 4 years ago

Server Web NGINX v1.15.8

MyAlien commented 4 years ago

The server hosts websites also databases.

zimmerle commented 4 years ago

Can you send me the error message that you are facing?

MyAlien commented 4 years ago

When I add at the end of an rules exec:/loc/script-email.sh, I restart nginx and it causes an error.

zimmerle commented 4 years ago

Right, but can you send me this error message?

MyAlien commented 4 years ago

-- L'unité (unit) nginx.service a commencé à démarrer. sept. 18 14:02:41 www nginx[16067]: nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf. Line: 35. Column: 85. Expecting an action, got: \ sept. 18 14:02:41 www nginx[16067]: nginx: configuration file /etc/nginx/nginx.conf test failed sept. 18 14:02:41 www systemd[1]: nginx.service: Control process exited, code=exited status=1 sept. 18 14:02:41 www systemd[1]: Failed to start A high performance web server and a reverse proxy server. -- Subject: L'unité (unit) nginx.service a échoué -- Defined-By: systemd

MyAlien commented 4 years ago

Is it correct?

SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,\exec:/opt/send-email-modsecurity.sh"
zimmerle commented 4 years ago

you may want to remove the escape character in front of the exec action. It will be:

SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,exec:/opt/send-email-modsecurity.sh"

You may want to double-check if in the context of the rules it is really doing what you meant it to do.

MyAlien commented 4 years ago

In ModSecurity you have no possibility to alert by email of an attack?

without using exec

MyAlien commented 4 years ago

Remove / I still have an error. SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,exec:/opt/send-email-modsecurity.sh"

MyAlien commented 4 years ago

-- L'unité (unit) nginx.service a commencé à démarrer. sept. 18 14:11:21 www nginx[19407]: nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf. Line: 35. Column: 37. exec: Lua support was not en sept. 18 14:11:21 www nginx[19407]: nginx: configuration file /etc/nginx/nginx.conf test failed sept. 18 14:11:21 www systemd[1]: nginx.service: Control process exited, code=exited status=1 sept. 18 14:11:21 www systemd[1]: Failed to start A high performance web server and a reverse proxy server. -- Subject: L'unité (unit) nginx.service a échoué

zimmerle commented 4 years ago

Hi @MyAlien,

I've just identified that version 3 is only supporting the execution of Lua script on the exec action. I have created issue #2167 to track the progress of the implementation for that missing feature.

In the meanwhile, I suggest you go over the possibility to inspect the log files.

MyAlien commented 4 years ago

OK thanks .

If I understand correctly: impossible to send a mail that there was a detected attack? Even in Lua it is not possible?

zimmerle commented 4 years ago

The exec action should support the execution of Lua scripts without further problem.

MyAlien commented 4 years ago

OK Using Script Lua and restart nginx give error : Lua support was not enabled .

Is there anything installed?

zimmerle commented 4 years ago

Lua is an optional dependency for ModSecurity. It is enable/disable in compilation time. You need to re-compile your ModSecurity, making sure that you have the Lua devel package installed. By the end of ./configure you should see something like:

ModSecurity - v3.0.3-153-gae67c896 for Linux

 Mandatory dependencies
   + libInjection                                  ....v3.9.2-30-gbf234eb
   + SecLang tests                                 ....5d85f36

 Optional dependencies
   + GeoIP/MaxMind                                 ....found 
      * (MaxMind) v1.3.2
         -lmaxminddb , -DWITH_MAXMIND 
      * (GeoIP) v1.6.12
         -lGeoIP , -I/usr/include/ 
   + LibCURL                                       ....found v7.65.3 
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl , -DWITH_YAJL -I/usr/include/yajl 
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.9
      -lxml2 -lz -llzma -licui18n -licuuc -licudata -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found 
      -lfuzzy -L/usr/lib/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v503
      -llua5.3 -L/usr/lib/, -DWITH_LUA -I/usr/include

 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

Notice the Lua entry.

MyAlien commented 4 years ago

How to install the Lua Module?

MyAlien commented 4 years ago

adding module in /opt/lua-nginx-module checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... not found checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env) ... not found ./configure: error: ngx_http_lua_module requires the Lua or LuaJIT library and LUAJIT_LIB is defined as /opt/luajit/lib and LUAJIT_INC (path for lua.h) /opt/luajit/include/luajit-2.1, but we cannot find LuaJIT there. root@www:/opt/nginx-1.15.8#

All Logs Lua Module

root@www:/opt# cd nginx-1.15.8/ root@www:/opt/nginx-1.15.8# ./configure --prefix=/opt/nginx --with-ld-opt="-Wl,-rpath,/opt/luajit/lib" --add-module=/opt/ngx_devel_kit --add-module=/opt/lua-nginx-module checking for OS

  • Linux 4.4.0-161-generic x86_64 checking for C compiler ... found
  • using GNU C compiler
  • gcc version: 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11) checking for gcc -pipe switch ... found checking for --with-ld-opt="-Wl,-rpath,/opt/luajit/lib" ... found checking for -Wl,-E switch ... found checking for gcc builtin atomic operations ... found checking for C99 variadic macros ... found checking for gcc variadic macros ... found checking for gcc builtin 64 bit byteswap ... found checking for unistd.h ... found checking for inttypes.h ... found checking for limits.h ... found checking for sys/filio.h ... not found checking for sys/param.h ... found checking for sys/mount.h ... found checking for sys/statvfs.h ... found checking for crypt.h ... found checking for Linux specific features checking for epoll ... found checking for EPOLLRDHUP ... found checking for EPOLLEXCLUSIVE ... not found checking for O_PATH ... found checking for sendfile() ... found checking for sendfile64() ... found checking for sys/prctl.h ... found checking for prctl(PR_SET_DUMPABLE) ... found checking for prctl(PR_SET_KEEPCAPS) ... found checking for capabilities ... found checking for crypt_r() ... found checking for sys/vfs.h ... found checking for nobody group ... not found checking for nogroup group ... found checking for poll() ... found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for crypt() in libcrypt ... found checking for F_READAHEAD ... not found checking for posix_fadvise() ... found checking for O_DIRECT ... found checking for F_NOCACHE ... not found checking for directio() ... not found checking for statfs() ... found checking for statvfs() ... found checking for dlopen() ... not found checking for dlopen() in libdl ... found checking for sched_yield() ... found checking for sched_setaffinity() ... found checking for SO_SETFIB ... not found checking for SO_REUSEPORT ... found checking for SO_ACCEPTFILTER ... not found checking for SO_BINDANY ... not found checking for IP_TRANSPARENT ... found checking for IP_BINDANY ... not found checking for IP_BIND_ADDRESS_NO_PORT ... found checking for IP_RECVDSTADDR ... not found checking for IP_SENDSRCADDR ... not found checking for IP_PKTINFO ... found checking for IPV6_RECVPKTINFO ... found checking for TCP_DEFER_ACCEPT ... found checking for TCP_KEEPIDLE ... found checking for TCP_FASTOPEN ... found checking for TCP_INFO ... found checking for accept4() ... found checking for eventfd() ... found checking for int size ... 4 bytes checking for long size ... 8 bytes checking for long long size ... 8 bytes checking for void * size ... 8 bytes checking for uint32_t ... found checking for uint64_t ... found checking for sig_atomic_t ... found checking for sig_atomic_t size ... 4 bytes checking for socklen_t ... found checking for in_addr_t ... found checking for in_port_t ... found checking for rlim_t ... found checking for uintptr_t ... uintptr_t found checking for system byte ordering ... little endian checking for size_t size ... 8 bytes checking for off_t size ... 8 bytes checking for time_t size ... 8 bytes checking for AF_INET6 ... found checking for setproctitle() ... not found checking for pread() ... found checking for pwrite() ... found checking for pwritev() ... found checking for sys_nerr ... found checking for localtime_r() ... found checking for clock_gettime(CLOCK_MONOTONIC) ... found checking for posix_memalign() ... found checking for memalign() ... found checking for mmap(MAP_ANON|MAP_SHARED) ... found checking for mmap("/dev/zero", MAP_SHARED) ... found checking for System V shared memory ... found checking for POSIX semaphores ... not found checking for POSIX semaphores in libpthread ... found checking for struct msghdr.msg_control ... found checking for ioctl(FIONBIO) ... found checking for struct tm.tm_gmtoff ... found checking for struct dirent.d_namlen ... not found checking for struct dirent.d_type ... found checking for sysconf(_SC_NPROCESSORS_ONLN) ... found checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found checking for openat(), fstatat() ... found checking for getaddrinfo() ... found configuring additional modules adding module in /opt/ngx_devel_kit
  • ngx_devel_kit was configured adding module in /opt/lua-nginx-module checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... not found checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env) ... not found ./configure: error: ngx_http_lua_module requires the Lua or LuaJIT library and LUAJIT_LIB is defined as /opt/luajit/lib and LUAJIT_INC (path for lua.h) /opt/luajit/include/luajit-2.1, but we cannot find LuaJIT there. root@www:/opt/nginx-1.15.8#
airween commented 4 years ago

You have to install the Lua development files (or package), eg:

apt install liblua5.3-dev
MyAlien commented 4 years ago

Ok thx

I can not find the modules ?

-- L'unité (unit) nginx.service a commencé à démarrer. sept. 18 16:28:24 www nginx[8287]: nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_lua_module.so" failed (/usr/share/nginx/modules/ngx_http_lua_module sept. 18 16:28:24 www nginx[8287]: nginx: configuration file /etc/nginx/nginx.conf test failed sept. 18 16:28:24 www systemd[1]: nginx.service: Control process exited, code=exited status=1 sept. 18 16:28:24 www systemd[1]: Failed to start A high performance web server and a reverse proxy server. -- Subject: L'unité (unit) nginx.service a échoué -- Defined-By: systemd

MyAlien commented 4 years ago

root@www:/opt/nginx-1.15.8# ./configure --add-module=/usr/share/nginx/modules Not completed

zimmerle commented 4 years ago

Is /usr/share/nginx/modules/ngx_http_lua_module.so exists?

MyAlien commented 4 years ago

No

root@www:~# ls /usr/share/nginx/modules/ ngx_http_auth_pam_module.so ngx_http_geoip_module.so ngx_http_subs_filter_module.so ngx_mail_module.so ngx_http_dav_ext_module.so ngx_http_image_filter_module.so ngx_http_upstream_fair_module.so ngx_stream_module.so ngx_http_echo_module.so ngx_http_modsecurity_module.so ngx_http_xslt_filter_module.so root@www:~#

airween commented 4 years ago

Then you have to install it:

sudo apt install libnginx-mod-http-lua

(on Debian/Ubuntu systems)

MyAlien commented 4 years ago

Thx

root@www:~# ls /usr/share/nginx/modules/ ndk_http_module.so ngx_http_echo_module.so ngx_http_lua_module.so ngx_http_upstream_fair_module.so ngx_stream_module.so ngx_http_auth_pam_module.so ngx_http_geoip_module.so ngx_http_modsecurity_module.so ngx_http_xslt_filter_module.so ngx_http_dav_ext_module.so ngx_http_image_filter_module.so ngx_http_subs_filter_module.so ngx_mail_module.so root@www:~#

sept. 20 19:00:17 www nginx[7150]: nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_lua_module.so" failed (/usr/share/nginx/modules/ngx_http_lua_module.so: undefined symbol: ndk_set_var_value) in /etc/nginx/nginx.conf:5

airween commented 4 years ago

Do you have a Debian system?

Please share with us this output:

ls -la /etc/nginx/modules-enabled/*.conf

You have to see something like this:

lrwxrwxrwx 1 root root 52 Jan 28  2019 /etc/nginx/modules-enabled/10-mod-http-ndk.conf -> /usr/share/nginx/modules-available/mod-http-ndk.conf
lrwxrwxrwx 1 root root 57 Jan 28  2019 /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf -> /usr/share/nginx/modules-available/mod-http-auth-pam.conf
lrwxrwxrwx 1 root root 60 Jan 28  2019 /etc/nginx/modules-enabled/50-mod-http-cache-purge.conf -> /usr/share/nginx/modules-available/mod-http-cache-purge.conf
...

Also copy here this output:

nginx -V

Please put the outputs between 3 ` character, like this: ``` to format the output.

Edit: note, that here is the similar problem, and I think the solution was the order of modules - that's why I asked the outputs above.

Archerkong commented 4 years ago

I think you can detect log changes and send email,just got an idea but i haven't tried,Or try log analysis tools