SecAuditLogFormat set to JSON prints logs in native format aswell

Shivam0609 commented 2 months ago

Describe the bug

Unable to get json logs for Modsecurity in K8s ingress-nginx even after setting SecAuditLogFormat: JSON.

I am setting SecAuditLogFormat: JSON and I want that the logs should be printed in json format only in ingress controller pod. Is it possible to remove/disable the logs in non json format from modsecurity if SecAuditLogFormat: JSON.

Logs and dumps

Current behaviour - If you see in below logs, line number 1 & 2 are not in json format and we do not need these type of logs if SecAuditLogFormat: JSON .

(1) 2024/03/01 20:24:46 [error] 159#159: *2640 [client 111.111.11.11] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `.*[Cc]lass\..*' against variable `FULL_REQUEST' (Value: `host: example.com\x0auser-agent: curl/7.81.0\x0aaccept: */*\x0ax-test: Class.devi (22 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf"] [line "1"] [id "1"] [rev ""] [msg "spring4shell Class detected"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "11.1.1.111"] [uri "/"] [unique_id "170932468636.278391"] [ref "o0,104v118,104"], client: 111.111.11.11, server: example.com, request: "HEAD / HTTP/2.0", host: "example.com"

(2) 2024/03/01 20:24:46 [error] 159#159: *2640 [client 111.111.11.11] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `.*[Cc]lass\..*' against variable `FULL_REQUEST' (Value: `host: example.com\x0auser-agent: curl/7.81.0\x0aaccept: */*\x0ax-test: Class.devi (22 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf"] [line "1"] [id "1"] [rev ""] [msg "spring4shell Class detected"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "11.1.1.111"] [uri "/"] [unique_id "170932468683.123247"] [ref "o0,104v118,104"], client: 111.111.11.11, server: example.com, request: "HEAD / HTTP/2.0", host: "example.com"

(3) { "time_local": "01/Mar/2024:20:24:46 +0000", "remote_addr": "111.111.11.11", "remote_user": "","request": "HEAD / HTTP/2.0", "status": "403", "body_bytes_sent": "0", "request_time": "0.003", "http_referrer": "", "http_user_agent": "curl/7.81.0", "http_x_forwarded_for": "111.111.11.11", "http_session": "", "upstream_response_time": "0.003", "method": "HEAD", "request_uri": "/", "host": "example.com", "x-b3-traceid": "01aekjkjh122118f60" }

(4) {"transaction":{"client_ip":"111.111.11.11","time_stamp":"Fri Mar  1 20:24:46 2024","server_id":"a0490583sasasa879asas98asee8c49fe184b3","client_port":15943,"host_ip":"11.1.1.111","host_port":443,"unique_id":"170932468683.123247","request":{"method":"HEAD","http_version":2.0,"uri":"/","body":"","headers":{"host":"example.com","user-agent":"curl/7.81.0","accept":"*/*","x-test":"Class.devil.java.com"}},"response":{"http_code":403,"headers":{"Server":"","Server":"","Date":"Fri, 01 Mar 2024 20:24:46 GMT","Content-Type":"text/html","X-Request-Id":"","Connection":"close","X-XSS-Protection":"0","Vary":"Accept-Encoding","Content-Security-Policy":"frame-src 'self'; frame-ancestors 'self'; object-src 'self';","Referrer-Policy":"strict-origin-when-cross-origin"}},"producer":{"modsecurity":"ModSecurity v3.0.8 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"Enabled","components":["OWASP_CRS/3.3.5\""]},"messages":[{"message":"spring4shell Class detected","details":{"match":"Matched \"Operator `Rx' with parameter `.*[Cc]lass\\..*' against variable `FULL_REQUEST' (Value: `host: example.com\\x0auser-agent: curl/7.81.0\\x0aaccept: */*\\x0ax-test: Class.devi (22 characters omitted)' )","reference":"o0,104v118,104","ruleId":"1","file":"/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf","lineNumber":"1","data":"","severity":"0","ver":"","rev":"","tags":[],"maturity":"0","accuracy":"0"}}]}}

To Reproduce

Enable modsecurity with ingress-nginx in k8s cluster . Use below configmap and the server configuration as defined in below server section

Modsecurity ConfigMap:

apiVersion: v1
data:
  custom-rules.conf: |-
    SecRule FULL_REQUEST "@rx .*[Cc]lass\..*" "id:1,phase:2,deny,status:403,msg:spring4shell Class detected,ctl:ruleEngine=On
    SecRule FULL_REQUEST "@rx .*tomcatwar\.jsp.*" "id:2,phase:2,deny,status:403,msg:spring4shell tomcatwar detected,ctl:ruleEngine=On
    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "id:3,phase:1,pass,nolog,ctl:ruleEngine=Off
    SecRule FULL_REQUEST "@rx .*java\.io\.InputStream.*" "id:4,phase:2,deny,status:403,msg:spring4shell InputStream detected,ctl:ruleEngine=On
  nginx-modsecurity.conf: |-
    SecRuleEngine DetectionOnly
    SecAuditLog /dev/stdout
    SecAuditEngine RelevantOnly
    SecAuditLogFormat JSON
    SecAuditLogRelevantStatus "^(?:4(?!04))
    SecAction "id:900260,phase:1,nolog,pass,t:none,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'
    SecAction "id:900700,phase:1,nolog,pass,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=10000',setvar:'tx.dos_block_timeout=600'
    Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
    Include /etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
kind: ConfigMap
metadata:
  name: modsecurity-config
  namespace: demo

A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.

curl -I -H "X-test: Class.devil.java.com" "https://example.com"

Expected behavior

Want only json logs to be printed as line number 2 in below logs and should not print line number 1 & 2 as in above logs, when SecAuditLogFormat: JSON.

(1) { "time_local": "01/Mar/2024:20:24:46 +0000", "remote_addr": "111.111.11.11", "remote_user": "","request": "HEAD / HTTP/2.0", "status": "403", "body_bytes_sent": "0", "request_time": "0.003", "http_referrer": "", "http_user_agent": "curl/7.81.0", "http_x_forwarded_for": "111.111.11.11", "http_session": "", "upstream_response_time": "0.003", "method": "HEAD", "request_uri": "/", "host": "example.com", "x-b3-traceid": "01aekjkjh122118f60" }

(2) {"transaction":{"client_ip":"111.111.11.11","time_stamp":"Fri Mar  1 20:24:46 2024","server_id":"a0490583sasasa879asas98asee8c49fe184b3","client_port":15943,"host_ip":"11.1.1.111","host_port":443,"unique_id":"170932468683.123247","request":{"method":"HEAD","http_version":2.0,"uri":"/","body":"","headers":{"host":"example.com","user-agent":"curl/7.81.0","accept":"*/*","x-test":"Class.devil.java.com"}},"response":{"http_code":403,"headers":{"Server":"","Server":"","Date":"Fri, 01 Mar 2024 20:24:46 GMT","Content-Type":"text/html","X-Request-Id":"","Connection":"close","X-XSS-Protection":"0","Vary":"Accept-Encoding","Content-Security-Policy":"frame-src 'self'; frame-ancestors 'self'; object-src 'self';","Referrer-Policy":"strict-origin-when-cross-origin"}},"producer":{"modsecurity":"ModSecurity v3.0.8 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"Enabled","components":["OWASP_CRS/3.3.5\""]},"messages":[{"message":"spring4shell Class detected","details":{"match":"Matched \"Operator `Rx' with parameter `.*[Cc]lass\\..*' against variable `FULL_REQUEST' (Value: `host: example.com\\x0auser-agent: curl/7.81.0\\x0aaccept: */*\\x0ax-test: Class.devi (22 characters omitted)' )","reference":"o0,104v118,104","ruleId":"1","file":"/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf","lineNumber":"1","data":"","severity":"0","ver":"","rev":"","tags":[],"maturity":"0","accuracy":"0"}}]}}

Server (please complete the following information):

ModSecurity version (and connector): ModSecurity v3.0.8 with nginx-connector v1.0.3
WebServer: ingress-nginx-v1.9.5
OS (and distro): Linux

Rule Set (please complete the following information):

Running any public or commercial rule set? SpiderLabs commercial rules
What is the version number? OWASP_CRS/3.3.5

Additional context

Add any other context about the problem here.

Shivam0609 commented 2 months ago

Hi,

Did anyone face similar issue or I'm missing out something in the config.

dune73 commented 2 months ago

This is really quite odd.

Can you pull out the ModSecurity configuration out of the container to share? This might help with reproducing.

Shivam0609 commented 2 months ago

This is really quite odd.

Can you pull out the ModSecurity configuration out of the container to share? This might help with reproducing.

@dune73 ,

Thanks for the response, Sure will provide you required information today.

Shivam0609 commented 2 months ago

@dune73 ,

Below is the modsecurity configuration from the container.

/etc/nginx/modsecurity/modsecurity.conf

# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly

# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "^application/json" \
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Sample rule to enable JSON request body parser for more subtypes.
# Uncomment or adapt this rule if you want to engage the JSON
# Processor for "+json" subtypes
#
#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# What to do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject

# Maximum parsing depth allowed for JSON objects. You want to keep this
# value as low as practical.
#
SecRequestBodyJsonDepthLimit 512

# Maximum number of args allowed per request. You want to keep this
# value as low as practical. The value should match that in rule 200007.
SecArgumentsLimit 1000

# If SecArgumentsLimit has been set, you probably want to reject any
# request body that has only been partly parsed. The value used in this
# rule should match what was used with SecArgumentsLimit
SecRule &ARGS "@ge 1000" \
"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
#
# Here is a short description about the ModSecurity Multipart parser: the
# parser returns with value 0, if all "boundary-like" line matches with
# the boundary string which given in MIME header. In any other cases it returns
# with different value, eg. 1 or 2.
#
# The RFC 1341 descript the multipart content-type and its syntax must contains
# only three mandatory lines (above the content):
# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
# * --BOUNDARY_STRING
# * --BOUNDARY_STRING--
#
# First line indicates, that this is a multipart content, second shows that
# here starts a part of the multipart content, third shows the end of content.
#
# If there are any other lines, which starts with "--", then it should be
# another boundary id - or not.
#
# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
#
# If multipart content contains the three necessary lines with correct order, but
# there are one or more lines with "--", then parser returns with value 2 (non-zero).
#
# If some of the necessary lines (usually the start or end) misses, or the order
# is wrong, then parser returns with value 1 (also a non-zero).
#
# You can choose, which one is what you need. The example below contains the
# 'strict' mode, which means if there are any lines with start of "--", then
# ModSecurity blocked the content. But the next, commented example contains
# the 'permissive' mode, then you check only if the necessary lines exists in
# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
# or other text files, which contains eg. HTTP headers.
#
# The difference is only the operator - in strict mode (first) the content blocked
# in case of any non-zero value. In permissive mode (second, commented) the
# content blocked only if the value is explicit 1. If it 0 or 2, the content will
# allowed.
#

#
# See #1747 and #1924 for further information on the possible values for
# MULTIPART_UNMATCHED_BOUNDARY.
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_".  The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

# -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies. 
# You should have this directive enabled in order to identify errors
# and data leakage issues.
# 
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On

# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml

# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288

# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial

# -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
# 
# This default setting is chosen due to all systems have /tmp available however, 
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/

# The location where ModSecurity will keep its persistent data.  This default setting 
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/

# -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/

# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600

# -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3

# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Concurrent
SecAuditLog /var/log/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/

# -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &

# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0

# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127

# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On

SecAuditLogStorageDir /var/log/audit/

/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf

SecRule FULL_REQUEST "@rx .*[Cc]lass\..*" "id:1,phase:2,deny,status:403,msg:spring4shell Class detected,ctl:ruleEngine=On"
SecRule FULL_REQUEST "@rx .*tomcatwar\.jsp.*" "id:2,phase:2,deny,status:403,msg:spring4shell tomcatwar detected,ctl:ruleEngine=On"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "id:3,phase:1,pass,nolog,ctl:ruleEngine=Off"
SecRule FULL_REQUEST "@rx .*java\.io\.InputStream.*" "id:4,phase:2,deny,status:403,msg:spring4shell InputStream detected,ctl:ruleEngine=On"sbcp-ingress-obaas-1-controller-6946f8df5b-8ddjm:/etc/nginx$

/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/nginx-modsecurity.conf

SecRuleEngine DetectionOnly
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:4(?!04))"
SecAuditLogParts AHZ
SecAction "id:900260,phase:1,nolog,pass,t:none,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
SecAction "id:900700,phase:1,nolog,pass,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=10000',setvar:'tx.dos_block_timeout=600'"
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf

/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf

Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

dune73 commented 2 months ago

Still think this is very odd. But the config files you are sharing do shed some light.

I have zero experience with the nginx docker container. Above I see a certain duplication of the ModSecurity setup. If I extrapolate, this might result in double engine configuration, thus 2 ModSecs running on a request somehow. One with JSON logging, one with non-JSON logging. This is a shot in the dark, but my best guess as of this writing.

I do not have the time to recreate your setup. But here is my proposal for remediation:

Start over from scratch with a fresh container (in a lab setup maybe)
Make sure the logging is correct
Then add features step by step. Also the custom rules you did. That enabling of the SecRule engine in a ModSec rule is strange. If there was no engine, the rule would not run, so no need to enable the engine.
If the problem pops up with the vanilla container, then please open an issue against the container.

Shivam0609 commented 2 months ago

Still think this is very odd. But the config files you are sharing do shed some light.

I have zero experience with the nginx docker container. Above I see a certain duplication of the ModSecurity setup. If I extrapolate, this might result in double engine configuration, thus 2 ModSecs running on a request somehow. One with JSON logging, one with non-JSON logging. This is a shot in the dark, but my best guess as of this writing.

I do not have the time to recreate your setup. But here is my proposal for remediation:

Start over from scratch with a fresh container (in a lab setup maybe)

Make sure the logging is correct

Then add features step by step. Also the custom rules you did. That enabling of the SecRule engine in a ModSec rule is strange. If there was no engine, the rule would not run, so no need to enable the engine.

If the problem pops up with the vanilla container, then please open an issue against the container.

Sure thanks @dune73 , for having a look at it.

Just to confirm when you say enabling of the SecRule engine in a ModSec rule is strange. If there was no engine, the rule would not run, so no need to enable the engine.

Do you mean ctl:ruleEngine=On in Secrule ? like below.

SecRule FULL_REQUEST "@rx .*[Cc]lass\..*" "id:1,phase:2,deny,status:403,msg:spring4shell Class detected,ctl:ruleEngine=On"

dune73 commented 2 months ago

Yes, exactly.

owasp-modsecurity / ModSecurity

SecAuditLogFormat set to JSON prints logs in native format aswell #3100