martinhsv
commented
3 years ago Hi @amorozkin ,
I'll first confirm your observation: in ModSecurity v3, part E logging can indeed occur even when SecResponseBodyAccess is Off.
The message that you are seeing ('Response body is disabled, returning...') indicates that any rules inspecting the response body will be skipped. The message does not mean that part E logging will be omitted (if E is one of the parts that has been requested).
I agree also that this is a departure from what the v2.x Reference Manual states. Whether this change in behaviour is an intentional one from v2.9 or a bug may be ambiguous.
In the immediate period, if you find the part E output bothersome, I would suggest simply removing part E from SecAuditLogParts whenever you set SecResponseBodyAccess to Off.
amorozkin
Hi! Setting SecResponseBodyAccess to Off does not prevent response body from being logged ( SecAuditLogParts ABIJDEFHZ)
Does it mean that with SecResponseBodyAccess Off ResponseBody is still being intercepted?
Expected behaviour - according to https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecAuditLogParts "E: Intermediary response body (present only if ModSecurity is configured to intercept response bodies... Intercepting response bodies requires SecResponseBodyAccess to be enabled"
Server:
Rule Set : https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
Additional context SecRuleEngine == DetectionOnly and SecAuditLogType == Concurrent Removing E from SecAuditLogParts do prevent ResponseBody from being logged. If I set SecRuleEngine to On and turn on DEBUG logging - logs do confirm that SecResponseBodyAccess is not ignored (https://github.com/SpiderLabs/ModSecurity/commit/42a472adbda21e6ecc4711fd37d704cdb3d98fbb):
Response body is disabled, returning... 1