Feature request: Limit the number of rules processed per request

[no-sec-marko]

Description

A request will trigger many rules if it contains many special keywords. Each rule triggered per request is logged in MODSEC_AUDIT_LOG and ERRORLOG. As described in the "to reproduce" section, a single short request can trigger 125 rules: (SQLI=30, XSS=25, RFI=0, LFI=15, RCE=45, PHPI=10, HTTP=0, SESS=0, COMBINED_SCORE=141). The "attack string" can be improved and shortened and is only an example.

This behavior could lead to a DoS attack depending on the post-processing (e.g. SIEM or monitoring). Therefore, it would be great if it was possible to limit the number of rules processed per request to reduce the possibility of a successful DoS attack.

To Reproduce

Steps to reproduce the behavior:

Use the Docker compose script from OWASP CRS: docker-compose.yml

docker compose -f ./tests/docker-compose.yml up  -d modsec2-apache

Run following curl command to generate the output from Logs and dumps:

curl -X POST --cookie "If=while(Process.spawn(1337)" --form 'a=1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)' http://MODSEC-IP

Logs and dumps

Output of:

1. AuditLogs

sudo cat tests/logs/modsec2-apache/modsec_audit.log | grep ZgF9vvENo2IGM29MSPNYswAAAJc

modsec_audit.log

3. Error logs

cat tests/logs/modsec2-apache/error.log | grep ZgF9vvENo2IGM29MSPNYswAAAJc

[Mon Mar 25 13:35:58.775771 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?:^([\\\\d.]+|\\\\[[\\\\da-f:]+\\\\]|[\\\\da-f:]+)(:[\\\\d]+)?$)" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "789"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.122.158"] [severity "WARNING"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.776667 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){3})" at REQUEST_COOKIES:If. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1946"] [id "942421"] [msg "Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)"] [data "Matched Data: (Process.spawn(1337) found within REQUEST_COOKIES:If: while(Process.spawn(1337)"] [severity "WARNING"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.777457 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "%[0-9a-fA-F]{2}" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1425"] [id "920230"] [msg "Multiple URL Encoding Detected"] [data "1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "WARNING"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/267/120"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.777631 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Found 2 byte(s) in ARGS:a outside range: 32-36,38-126. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1609"] [id "920272"] [msg "Invalid character in request (outside of printable chars below ascii 127)"] [data "ARGS:a=1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/3"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.777743 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Found 78 byte(s) in ARGS:a outside range: 38,44-46,48-58,61,65-90,95,97-122. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1815"] [id "920273"] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS:a=1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.778148 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?i)(?:[/\\\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\\\.(?:%0[01]|\\\\?)?|\\\\?\\\\.?|%(?:2( ..." at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "53"] [id "930100"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: %2F..%2F found within ARGS:a: 1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [t [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.778339 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: ;../ found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.778435 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within ARGS:a: 1&authdomain=`></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete=`></script></title></style></textarea></noscript></template><php>phpinfo() </php>rncrlf%22or%201=1 ../../../../../../etc/passwd&dos=com.java.bean.templateinjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.779233 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?i)(?:b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\ ..." at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "200"] [id "932235"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: =open(../etc/passwd found within ARGS:a: 1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [ [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.779926 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Matched phrase "etc/passwd" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "575"] [id "932160"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: etc/passwd found within ARGS:a: 1&authdomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.780272 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "\\\\s" at MATCHED_VAR. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "983"] [id "932200"] [msg "RCE Bypass Technique"] [data "Matched Data: '`\\x22></ found within ARGS:a: 1&authdomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c\\x22or 1=1;../../../../../../etc/passwd&dos=com.java.bean.templateinjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rce"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.780762 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0- ..." at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "1375"] [id "932236"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: =open(../etc/passwd found within ARGS:a: 1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"]  [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.781483 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Matched phrase "phpinfo" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "297"] [id "933150"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: phpinfo found within ARGS:a: 1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.781718 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Matched phrase "(" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "549"] [id "933151"] [msg "PHP Injection Attack: Medium-Risk PHP Function Name Found"] [data "Matched Data: phpinfo found within ARGS:a: 1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.781943 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "Process[\\\\s\\\\x0b]*\\\\.[\\\\s\\\\x0b]*spawn[\\\\s\\\\x0b]*\\\\(" at REQUEST_COOKIES:If. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf"] [line "173"] [id "934150"] [msg "Ruby Injection Attack"] [data "Matched Data: Process.spawn( found within REQUEST_COOKIES:If: while(Process.spawn(1337)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-ruby"] [tag "platform-multi"] [tag "attack-rce"] [tag "attack-injection-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782000 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\\\\s\\\\x0b]*\\\\(" at REQUEST_COOKIES:If. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf"] [line "263"] [id "934101"] [msg "Node.js Injection Attack 2/2"] [data "Matched Data: spawn( found within REQUEST_COOKIES:If: while(Process.spawn(1337)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-javascript"] [tag "platform-multi"] [tag "attack-rce"] [tag "attack-injection-generic"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782052 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\\\\s\\\\x0b]*\\\\(" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf"] [line "263"] [id "934101"] [msg "Node.js Injection Attack 2/2"] [data "Matched Data: open( found within ARGS:a: 1&authDomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3Cphp%3Ephpinfo%28%29%3B%3C%2Fphp%3E%5Cr%5Cn%5Ccrlf%5C%2522OR%25201%3D1%3B..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%26dos%3Dcom.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-javascript"] [tag "platform-multi"] [tag "attack-rce"] [tag "attack-injection-generic"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782104 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\\\\s\\\\x0b]*\\\\(" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf"] [line "263"] [id "934101"] [msg "Node.js Injection Attack 2/2"] [data "Matched Data: open( found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-javascript"] [tag "platform-multi"] [tag "attack-rce"] [tag "attack-injection-generic"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782151 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\\\\s\\\\x0b]*\\\\(" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf"] [line "263"] [id "934101"] [msg "Node.js Injection Attack 2/2"] [data "Matched Data: open( found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x0d\\x0acrlf%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-javascript"] [tag "platform-multi"] [tag "attack-rce"] [tag "attack-injection-generic"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782284 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x0d\\x0acrlf%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782339 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "127"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script/src=https://security-smarttecs.com/data.js> found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x0d\\x0acrlf%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782481 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?i)<[^0-9<>A-Z_a-z]*(?:[^\\\\s\\\\x0b\\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0- ..." at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "219"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: '`\\x22></script></title></style></textarea></noscript></template><script/src= found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x0d\\x0acrlf%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi" [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782859 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:tyle|rc)|href)\\\\b[\\\\s\\\\S]*?=" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "853"] [id "941150"] [msg "XSS Filter - Category 5: Disallowed HTML Attributes"] [data "Matched Data: style></textarea></noscript></template><script/src= found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x0d\\x0acrlf%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.782937 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head ..." at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "969"] [id "941320"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "Matched Data: <script% found within ARGS:a: 1&authdomain=%27%60%22><%2fscript></title></style></textarea></noscript></template><script%2fsrc=https%3a%2f%2fsecurity-smarttecs.com%2fdata.js>%2f%2f&delete=%27%60%22><%2fscript></title></style></textarea></noscript></template>%3cphp%3ephpinfo%28%29%3b%3c%2fphp%3e%5cr%5cn%5ccrlf%5c%2522or%25201%3d1%3b..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%26dos%3dcom.java.bean.templateinjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-m [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.783020 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'T(n(1' [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: T(n(1 found within REQUEST_COOKIES:If: while(Process.spawn(1337)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.783467 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Match of "streq %{TX.2}" against "TX:1" required. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "742"] [id "942131"] [msg "SQL Injection Attack: SQL Boolean-based attack detected"] [data "Matched Data: php>phpinfo found within ARGS:a: php"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.784084 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){12})" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1315"] [id "942430"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)"] [data "Matched Data: &authDomain='`\\x22></script></title></style> found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "WARNING"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.784185 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "(?i)[\\"'`][\\\\s\\\\x0b]*?(?:(?:is[\\\\s\\\\x0b]+not|not[\\\\s\\\\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\\\\s\\\\x0b]+like)\\\\b|[%&\\\\*\\\\+\\\\-/<->\\\\^\\\\|])" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1509"] [id "942520"] [msg "Detects basic SQL authentication bypass attempts 4.0/4"] [data "Matched Data: \\x22> found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [ta [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.784279 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){6})" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1803"] [id "942431"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)"] [data "Matched Data: &authDomain='`\\x22> found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "WARNING"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paran [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.784330 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "\\\\W{4}" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1833"] [id "942460"] [msg "Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters"] [data "Matched Data: ='`\\x22 found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "WARNING"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/3"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.784394 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Pattern match "((?:[~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>][^~!@#\\\\$%\\\\^&\\\\*\\\\(\\\\)\\\\-\\\\+=\\\\{\\\\}\\\\[\\\\]\\\\|:;\\"'\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98`<>]*?){2})" at ARGS:a. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1975"] [id "942432"] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: &authDomain= found within ARGS:a: 1&authDomain='`\\x22></script></title></style></textarea></noscript></template><script/src=https://security-smarttecs.com/data.js>//&delete='`\\x22></script></title></style></textarea></noscript></template><php>phpinfo();</php>\\x5cr\\x5cn\\x5ccrlf\\x5c%22OR%201=1;../../../../../../etc/passwd&dos=com.java.bean.TemplateInjection&process.appendfile=open(../etc/passwd)"] [severity "WARNING"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-lev [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.784783 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 141)"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]
[Mon Mar 25 13:35:58.784997 2024] [security2:error] [pid 60:tid 140003602568896] [client 192.168.122.158:59728] [client 192.168.122.158] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=141, detection=141, per_pl=58-61-11-11, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=30, XSS=25, RFI=0, LFI=15, RCE=45, PHPI=10, HTTP=0, SESS=0, COMBINED_SCORE=141)"] [ver "OWASP_CRS/4.1.0"] [tag "modsecurity"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "192.168.122.158"] [uri "/"] [unique_id "ZgF9vvENo2IGM29MSPNYswAAAJc"]

Expected behavior

Modsecurity has the ability to limit the rules by using a parameter.

Server (please complete the following information):

• ModSecurity version (and connector): 2
• WebServer: Apache
• OS (and distro): Docker image: owasp/modsecurity-crs:apache

Rule Set (please complete the following information): Following Rule Set was used (commit f2ab9c3063fece423e6a4156aad145f7f7e6ef96) CRS Rules

[airween]

Hi @no-sec-marko,

thanks for shared your idea.

I have had a very similar idea: monitoring a preset TX (or any custom) variable, and if it reaches the threshold, then terminate the transaction.

If you want to look up the number of triggered rules, then it's a bit problematic this way, because you must provide a method how to count the triggered rules (eg. I assume if you use CRS, you don't want to count the rules from crs-setup.conf, REQUEST-901-INITIALIZATION.conf, neither from any exclusions config).

But may be this idea can help you to reduce the number of unwanted triggering.

Please let me figure out how can we implement this, especially what would be the best way to configure these limits.

If anyone has an idea related to this feature, please share that here.

[theseion]

I'm not sure that the engine should stop processing rules. In CRS, the rule for blocking based on score is one of the last rules, so stopping to process would essentially skip blocking.

However, if post-processing is the issue, then it would suffice to limit the output to audit / error logs.

[dune73]

I do not really like the monitoring of a preset variable from a conceptual viewpoint.

If you want to block when a certain rule is triggered, then issue a deny with the rule.

If you want to group rules together and block afterwards, then add a rule after the group and issue a deny in this group.

I also second what @theseion stated: With a scoring rule set you can not simply stop processing and if you use ModSec to display additional information about a request in the logs in phase 5, then stopping to process a request effectively means you lack that information in the logs when you most need it.

I think this is a rules problems and it should be dealt with in the rules.

Circling back to the original reporter @no-sec-marko. Yes, this is a conceptual problem of every WAF. Given the WAF logs a ton of information it's like filling the access log of a webserver, but on steroids. You need to anticipate this when building your platform. The rule set could try to protect you, but the rule set is in a bad position to monitor its own execution and any monitoring would slow things down for the very rare case somebody tried to pull this of in the wild (I have never seen this obvious weakness being exploited).