尽管我们已将其设置为默认操作并且规则未设置任何日志记录属性,但在某些情况下,ModSecurity 并未跟踪审核日志中的阻止,我们会遇到这样的问题。在错误日志中,我们只能看到由于达到异常分数而触发的规则,而看不到真正计算分数的规则。在其他一些情况下,此信息是可见的。
在 modsecurity.conf 中,我们启用了规则日志记录
SecAuditLogParts ABCIJDFHKZ
在 crs-setup.conf 中,我们设置了默认日志记录以捕获错误和审核日志中的所有内容。
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
我们还尝试了其他组合,例如使用此设置
SecDefaultAction "phase:2,pass, nolog,auditlog"
,但没有帮助。
我们在日志中可以看到的唯一内容是错误日志中的这部分,当我们需要更多详细信息时,我们需要启用调试并重做操作。在下面的示例中,出于安全原因我更改了 IP 地址。
2022/03/09 08:32:25 [error] 1149#1149: *13832 [client 1.1.1.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "139"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.1.0.1"] [uri "/favicon.ico"] [unique_id "1646811145"] [ref ""], client: 1.1.1.1, server: example.com, request: "GET /favicon.ico HTTP/1.1", host: "example.com", referrer: "http://example.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27"
我们需要找到一种方法来确保每次尝试都会记录到审核日志中。
预先感谢您的任何帮助。
彼得
We are facing a problem when in certain cases ModSecurity is not tracking the blocking in the audit log despite we have set it as a default action and the rule is not having any logging property set. In the error log, we can see only the rule which was triggered due to the anomaly score has been reached but nothing about the rules which actually counted the score. In some other cases, this information is visible.
In modsecurity.conf we have logging of rules enabled
SecAuditLogParts ABCIJDFHKZ
In crs-setup.conf we have default logging set to capture everything in both error and audit log.
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
We have also tried other combinations like using this setup
SecDefaultAction "phase:2,pass, nolog,auditlog"
But notning helped.
The only thing we can see in the log is this part from the error log and when we need more details we need to enable debug and redo the action. In the example below I have changed the IP addresses for security reasons.
2022/03/09 08:32:25 [error] 1149#1149: *13832 [client 1.1.1.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "139"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.4.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.1.0.1"] [uri "/favicon.ico"] [unique_id "1646811145"] [ref ""], client: 1.1.1.1, server: example.com, request: "GET /favicon.ico HTTP/1.1", host: "example.com", referrer: "http://example.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27"
We need to find a way how to make sure every attempt will be logged into the audit log.
Thanks in advance for any help.
Peter
发布评论
评论(1)
这是 ModSecurity 3.0.6 与 Nginx 一起使用时出现的错误。
解决方案是不在 Nginx 配置中使用自定义
error_page或使用此修复重新编译当前解决方案 https://github.com/SpiderLabs/ModSecurity-nginx/pull/273It is a bug that is presented in ModSecurity 3.0.6 when used along with Nginx.
The resolution is either not to use custom
error_pagein Nginx configuration or to recompile the current solution with this fix https://github.com/SpiderLabs/ModSecurity-nginx/pull/273