admin管理员组

文章数量:1401659

I've an issue with mod_security3 where the apache error_log isn't containing the ModSecurity: Access denied record as shown in the modsec_audit.log. If I don't change any config, and just use mod_security2, then it works fine, and the error_log contains the Access denied record

Any ideas why it missing?

modsec_audit.log

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `1.2.3.4' ) [file "/etc/crs4/rules/REQUEST-920-PROTOCOL-EN FORCEMENT.conf"] [line "694"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "1.2.3.4"] [severity "4"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag " language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139 763"] [ref "o0,12o0,12v49,12"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: `/etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id  "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag " language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "removed"] [uri "/"] [unique_id "174277361972.13976 3"] [ref "o1,10v10,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "596"] [id "9321 60"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-mu lti"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "removed"] [uri "/"] [unique_id "17427736 1972.139763"] [ref "o1,10v10,11t:cmdLine,t:normalizePatho1,6v26,7t:cmdLine,t:normalizePath"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `18' ) [file "/etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf "] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 18)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]  [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref ""]

Apache error_log

[Mon Mar 24 10:46:59.523585 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)' against v ariable `REQUEST_HEADERS:Host' (Value: `1.2.3.4' ) [file "/etc/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "694"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "1.2.3.4"]  [severity "4"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/ 1000/210/272"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref "o0,12o0,12v49,12"]
[Mon Mar 24 10:46:59.524888 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: ` /etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [sever ity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/15 3/126"] [tag "PCI/6.5.4"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref "o1,10v10,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
[Mon Mar 24 10:46:59.525165 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/b in/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "596"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin /sh"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/ 1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref "o1,10v10,11t:cmdLine,t:normalizePatho1,6v26,7t:cmdLine,t:normalizePath"]

Ruleset OWASP coreruleset-4.11.0-minimal

crs-setup.conf

SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

# -- [[ Paranoia Level Initialization ]] ---------------------------------------
SecAction \
    "id:900000,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.11.0',\
    setvar:tx.blocking_paranoia_level=1"

# -- [[ End of setup ]] --------------------------------------------------------
SecAction \
    "id:900990,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.11.0',\
    setvar:tx.crs_setup_version=4110"

Thanks!

I've an issue with mod_security3 where the apache error_log isn't containing the ModSecurity: Access denied record as shown in the modsec_audit.log. If I don't change any config, and just use mod_security2, then it works fine, and the error_log contains the Access denied record

Any ideas why it missing?

modsec_audit.log

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `1.2.3.4' ) [file "/etc/crs4/rules/REQUEST-920-PROTOCOL-EN FORCEMENT.conf"] [line "694"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "1.2.3.4"] [severity "4"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag " language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139 763"] [ref "o0,12o0,12v49,12"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: `/etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id  "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag " language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "removed"] [uri "/"] [unique_id "174277361972.13976 3"] [ref "o1,10v10,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "596"] [id "9321 60"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-mu lti"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "removed"] [uri "/"] [unique_id "17427736 1972.139763"] [ref "o1,10v10,11t:cmdLine,t:normalizePatho1,6v26,7t:cmdLine,t:normalizePath"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `18' ) [file "/etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf "] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 18)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]  [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref ""]

Apache error_log

[Mon Mar 24 10:46:59.523585 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)' against v ariable `REQUEST_HEADERS:Host' (Value: `1.2.3.4' ) [file "/etc/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "694"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "1.2.3.4"]  [severity "4"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/ 1000/210/272"] [tag "PCI/6.5.10"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref "o0,12o0,12v49,12"]
[Mon Mar 24 10:46:59.524888 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: ` /etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [sever ity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/15 3/126"] [tag "PCI/6.5.4"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref "o1,10v10,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
[Mon Mar 24 10:46:59.525165 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/b in/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "596"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin /sh"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/ 1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "removed"] [uri "/"] [unique_id "174277361972.139763"] [ref "o1,10v10,11t:cmdLine,t:normalizePatho1,6v26,7t:cmdLine,t:normalizePath"]

Ruleset OWASP coreruleset-4.11.0-minimal

crs-setup.conf

SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

# -- [[ Paranoia Level Initialization ]] ---------------------------------------
SecAction \
    "id:900000,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.11.0',\
    setvar:tx.blocking_paranoia_level=1"

# -- [[ End of setup ]] --------------------------------------------------------
SecAction \
    "id:900990,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.11.0',\
    setvar:tx.crs_setup_version=4110"

Thanks!

  • apache2
  • mod-security
  • mod-security2
Share Improve this question asked Mar 24 at 2:53 user2130499user2130499 256 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 1

CRS dev-on-duty here. Someone opened an issue in the ModSecurity GitHub repository. Was that you? In any case, please follow the discussion there: https://github/owasp-modsecurity/ModSecurity/issues/3355

本文标签:

版权声明:本文标题:apache2 - ModSecurity: Apache error_log not showing "ModSecurity: Access denied" when they exist in modsec_aud 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744262922a2597805.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。