owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.31k stars 1.61k forks source link

SecAuditLogFormat set to JSON prints logs in native format aswell #3100

Open Shivam0609 opened 9 months ago

Shivam0609 commented 9 months ago

Describe the bug

Unable to get json logs for Modsecurity in K8s ingress-nginx even after setting SecAuditLogFormat: JSON.

I am setting SecAuditLogFormat: JSON and I want that the logs should be printed in json format only in ingress controller pod. Is it possible to remove/disable the logs in non json format from modsecurity if SecAuditLogFormat: JSON.

Logs and dumps

Current behaviour - If you see in below logs, line number 1 & 2 are not in json format and we do not need these type of logs if SecAuditLogFormat: JSON .

(1) 2024/03/01 20:24:46 [error] 159#159: *2640 [client 111.111.11.11] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `.*[Cc]lass\..*' against variable `FULL_REQUEST' (Value: `host: example.com\x0auser-agent: curl/7.81.0\x0aaccept: */*\x0ax-test: Class.devi (22 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf"] [line "1"] [id "1"] [rev ""] [msg "spring4shell Class detected"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "11.1.1.111"] [uri "/"] [unique_id "170932468636.278391"] [ref "o0,104v118,104"], client: 111.111.11.11, server: example.com, request: "HEAD / HTTP/2.0", host: "example.com"

(2) 2024/03/01 20:24:46 [error] 159#159: *2640 [client 111.111.11.11] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `.*[Cc]lass\..*' against variable `FULL_REQUEST' (Value: `host: example.com\x0auser-agent: curl/7.81.0\x0aaccept: */*\x0ax-test: Class.devi (22 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf"] [line "1"] [id "1"] [rev ""] [msg "spring4shell Class detected"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "11.1.1.111"] [uri "/"] [unique_id "170932468683.123247"] [ref "o0,104v118,104"], client: 111.111.11.11, server: example.com, request: "HEAD / HTTP/2.0", host: "example.com"

(3) { "time_local": "01/Mar/2024:20:24:46 +0000", "remote_addr": "111.111.11.11", "remote_user": "","request": "HEAD / HTTP/2.0", "status": "403", "body_bytes_sent": "0", "request_time": "0.003", "http_referrer": "", "http_user_agent": "curl/7.81.0", "http_x_forwarded_for": "111.111.11.11", "http_session": "", "upstream_response_time": "0.003", "method": "HEAD", "request_uri": "/", "host": "example.com", "x-b3-traceid": "01aekjkjh122118f60" }

(4) {"transaction":{"client_ip":"111.111.11.11","time_stamp":"Fri Mar  1 20:24:46 2024","server_id":"a0490583sasasa879asas98asee8c49fe184b3","client_port":15943,"host_ip":"11.1.1.111","host_port":443,"unique_id":"170932468683.123247","request":{"method":"HEAD","http_version":2.0,"uri":"/","body":"","headers":{"host":"example.com","user-agent":"curl/7.81.0","accept":"*/*","x-test":"Class.devil.java.com"}},"response":{"http_code":403,"headers":{"Server":"","Server":"","Date":"Fri, 01 Mar 2024 20:24:46 GMT","Content-Type":"text/html","X-Request-Id":"","Connection":"close","X-XSS-Protection":"0","Vary":"Accept-Encoding","Content-Security-Policy":"frame-src 'self'; frame-ancestors 'self'; object-src 'self';","Referrer-Policy":"strict-origin-when-cross-origin"}},"producer":{"modsecurity":"ModSecurity v3.0.8 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"Enabled","components":["OWASP_CRS/3.3.5\""]},"messages":[{"message":"spring4shell Class detected","details":{"match":"Matched \"Operator `Rx' with parameter `.*[Cc]lass\\..*' against variable `FULL_REQUEST' (Value: `host: example.com\\x0auser-agent: curl/7.81.0\\x0aaccept: */*\\x0ax-test: Class.devi (22 characters omitted)' )","reference":"o0,104v118,104","ruleId":"1","file":"/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf","lineNumber":"1","data":"","severity":"0","ver":"","rev":"","tags":[],"maturity":"0","accuracy":"0"}}]}}

To Reproduce

Enable modsecurity with ingress-nginx in k8s cluster . Use below configmap and the server configuration as defined in below server section

Modsecurity ConfigMap:

apiVersion: v1
data:
  custom-rules.conf: |-
    SecRule FULL_REQUEST "@rx .*[Cc]lass\..*" "id:1,phase:2,deny,status:403,msg:spring4shell Class detected,ctl:ruleEngine=On
    SecRule FULL_REQUEST "@rx .*tomcatwar\.jsp.*" "id:2,phase:2,deny,status:403,msg:spring4shell tomcatwar detected,ctl:ruleEngine=On
    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "id:3,phase:1,pass,nolog,ctl:ruleEngine=Off
    SecRule FULL_REQUEST "@rx .*java\.io\.InputStream.*" "id:4,phase:2,deny,status:403,msg:spring4shell InputStream detected,ctl:ruleEngine=On
  nginx-modsecurity.conf: |-
    SecRuleEngine DetectionOnly
    SecAuditLog /dev/stdout
    SecAuditEngine RelevantOnly
    SecAuditLogFormat JSON
    SecAuditLogRelevantStatus "^(?:4(?!04))
    SecAction "id:900260,phase:1,nolog,pass,t:none,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'
    SecAction "id:900700,phase:1,nolog,pass,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=10000',setvar:'tx.dos_block_timeout=600'
    Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
    Include /etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
    Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
kind: ConfigMap
metadata:
  name: modsecurity-config
  namespace: demo

A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.

curl -I -H "X-test: Class.devil.java.com" "https://example.com"

Expected behavior

Want only json logs to be printed as line number 2 in below logs and should not print line number 1 & 2 as in above logs, when SecAuditLogFormat: JSON.

(1) { "time_local": "01/Mar/2024:20:24:46 +0000", "remote_addr": "111.111.11.11", "remote_user": "","request": "HEAD / HTTP/2.0", "status": "403", "body_bytes_sent": "0", "request_time": "0.003", "http_referrer": "", "http_user_agent": "curl/7.81.0", "http_x_forwarded_for": "111.111.11.11", "http_session": "", "upstream_response_time": "0.003", "method": "HEAD", "request_uri": "/", "host": "example.com", "x-b3-traceid": "01aekjkjh122118f60" }

(2) {"transaction":{"client_ip":"111.111.11.11","time_stamp":"Fri Mar  1 20:24:46 2024","server_id":"a0490583sasasa879asas98asee8c49fe184b3","client_port":15943,"host_ip":"11.1.1.111","host_port":443,"unique_id":"170932468683.123247","request":{"method":"HEAD","http_version":2.0,"uri":"/","body":"","headers":{"host":"example.com","user-agent":"curl/7.81.0","accept":"*/*","x-test":"Class.devil.java.com"}},"response":{"http_code":403,"headers":{"Server":"","Server":"","Date":"Fri, 01 Mar 2024 20:24:46 GMT","Content-Type":"text/html","X-Request-Id":"","Connection":"close","X-XSS-Protection":"0","Vary":"Accept-Encoding","Content-Security-Policy":"frame-src 'self'; frame-ancestors 'self'; object-src 'self';","Referrer-Policy":"strict-origin-when-cross-origin"}},"producer":{"modsecurity":"ModSecurity v3.0.8 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"Enabled","components":["OWASP_CRS/3.3.5\""]},"messages":[{"message":"spring4shell Class detected","details":{"match":"Matched \"Operator `Rx' with parameter `.*[Cc]lass\\..*' against variable `FULL_REQUEST' (Value: `host: example.com\\x0auser-agent: curl/7.81.0\\x0aaccept: */*\\x0ax-test: Class.devi (22 characters omitted)' )","reference":"o0,104v118,104","ruleId":"1","file":"/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf","lineNumber":"1","data":"","severity":"0","ver":"","rev":"","tags":[],"maturity":"0","accuracy":"0"}}]}}

Server (please complete the following information):

Rule Set (please complete the following information):

Additional context

Add any other context about the problem here.

Shivam0609 commented 8 months ago

Hi,

Did anyone face similar issue or I'm missing out something in the config.

dune73 commented 8 months ago

This is really quite odd.

Can you pull out the ModSecurity configuration out of the container to share? This might help with reproducing.

Shivam0609 commented 8 months ago

This is really quite odd.

Can you pull out the ModSecurity configuration out of the container to share? This might help with reproducing.

@dune73 ,

Thanks for the response, Sure will provide you required information today.

Shivam0609 commented 8 months ago

@dune73 ,

Below is the modsecurity configuration from the container.

/etc/nginx/modsecurity/modsecurity.conf

# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly

# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "^application/json" \
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Sample rule to enable JSON request body parser for more subtypes.
# Uncomment or adapt this rule if you want to engage the JSON
# Processor for "+json" subtypes
#
#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# What to do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject

# Maximum parsing depth allowed for JSON objects. You want to keep this
# value as low as practical.
#
SecRequestBodyJsonDepthLimit 512

# Maximum number of args allowed per request. You want to keep this
# value as low as practical. The value should match that in rule 200007.
SecArgumentsLimit 1000

# If SecArgumentsLimit has been set, you probably want to reject any
# request body that has only been partly parsed. The value used in this
# rule should match what was used with SecArgumentsLimit
SecRule &ARGS "@ge 1000" \
"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
#
# Here is a short description about the ModSecurity Multipart parser: the
# parser returns with value 0, if all "boundary-like" line matches with
# the boundary string which given in MIME header. In any other cases it returns
# with different value, eg. 1 or 2.
#
# The RFC 1341 descript the multipart content-type and its syntax must contains
# only three mandatory lines (above the content):
# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
# * --BOUNDARY_STRING
# * --BOUNDARY_STRING--
#
# First line indicates, that this is a multipart content, second shows that
# here starts a part of the multipart content, third shows the end of content.
#
# If there are any other lines, which starts with "--", then it should be
# another boundary id - or not.
#
# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
#
# If multipart content contains the three necessary lines with correct order, but
# there are one or more lines with "--", then parser returns with value 2 (non-zero).
#
# If some of the necessary lines (usually the start or end) misses, or the order
# is wrong, then parser returns with value 1 (also a non-zero).
#
# You can choose, which one is what you need. The example below contains the
# 'strict' mode, which means if there are any lines with start of "--", then
# ModSecurity blocked the content. But the next, commented example contains
# the 'permissive' mode, then you check only if the necessary lines exists in
# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
# or other text files, which contains eg. HTTP headers.
#
# The difference is only the operator - in strict mode (first) the content blocked
# in case of any non-zero value. In permissive mode (second, commented) the
# content blocked only if the value is explicit 1. If it 0 or 2, the content will
# allowed.
#

#
# See #1747 and #1924 for further information on the possible values for
# MULTIPART_UNMATCHED_BOUNDARY.
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_".  The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

# -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies. 
# You should have this directive enabled in order to identify errors
# and data leakage issues.
# 
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On

# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml

# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288

# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial

# -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
# 
# This default setting is chosen due to all systems have /tmp available however, 
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/

# The location where ModSecurity will keep its persistent data.  This default setting 
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/

# -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/

# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600

# -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3

# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Concurrent
SecAuditLog /var/log/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/

# -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &

# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0

# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127

# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On

SecAuditLogStorageDir /var/log/audit/

/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf

SecRule FULL_REQUEST "@rx .*[Cc]lass\..*" "id:1,phase:2,deny,status:403,msg:spring4shell Class detected,ctl:ruleEngine=On"
SecRule FULL_REQUEST "@rx .*tomcatwar\.jsp.*" "id:2,phase:2,deny,status:403,msg:spring4shell tomcatwar detected,ctl:ruleEngine=On"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "id:3,phase:1,pass,nolog,ctl:ruleEngine=Off"
SecRule FULL_REQUEST "@rx .*java\.io\.InputStream.*" "id:4,phase:2,deny,status:403,msg:spring4shell InputStream detected,ctl:ruleEngine=On"sbcp-ingress-obaas-1-controller-6946f8df5b-8ddjm:/etc/nginx$ 

/etc/nginx/owasp-modsecurity-crs/custom-modsec-config/nginx-modsecurity.conf

SecRuleEngine DetectionOnly
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:4(?!04))"
SecAuditLogParts AHZ
SecAction "id:900260,phase:1,nolog,pass,t:none,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
SecAction "id:900700,phase:1,nolog,pass,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=10000',setvar:'tx.dos_block_timeout=600'"
Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs/custom-modsec-config/custom-rules.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf

/etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf

Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
dune73 commented 8 months ago

Still think this is very odd. But the config files you are sharing do shed some light.

I have zero experience with the nginx docker container. Above I see a certain duplication of the ModSecurity setup. If I extrapolate, this might result in double engine configuration, thus 2 ModSecs running on a request somehow. One with JSON logging, one with non-JSON logging. This is a shot in the dark, but my best guess as of this writing.

I do not have the time to recreate your setup. But here is my proposal for remediation:

Shivam0609 commented 8 months ago

Still think this is very odd. But the config files you are sharing do shed some light.

I have zero experience with the nginx docker container. Above I see a certain duplication of the ModSecurity setup. If I extrapolate, this might result in double engine configuration, thus 2 ModSecs running on a request somehow. One with JSON logging, one with non-JSON logging. This is a shot in the dark, but my best guess as of this writing.

I do not have the time to recreate your setup. But here is my proposal for remediation:

  • Start over from scratch with a fresh container (in a lab setup maybe)
  • Make sure the logging is correct
  • Then add features step by step. Also the custom rules you did. That enabling of the SecRule engine in a ModSec rule is strange. If there was no engine, the rule would not run, so no need to enable the engine.
  • If the problem pops up with the vanilla container, then please open an issue against the container.

Sure thanks @dune73 , for having a look at it.

Just to confirm when you say enabling of the SecRule engine in a ModSec rule is strange. If there was no engine, the rule would not run, so no need to enable the engine.

Do you mean ctl:ruleEngine=On in Secrule ? like below.

SecRule FULL_REQUEST "@rx .*[Cc]lass\..*" "id:1,phase:2,deny,status:403,msg:spring4shell Class detected,ctl:ruleEngine=On"
dune73 commented 8 months ago

Yes, exactly.

airween commented 1 month ago

@Shivam0609, @dune73 - is there anything here that we can do?