Requests blocked in Phase 1 (Request Headers) do not appear in the audit log #170
Comments
|
@robinkb, see if victorhora@ac3e8a9 solves your issue. |
|
same problem here. |
|
@victorhora's patch did not solve the issue for you @theMiddleBlue ? |
|
just compiled now and @victorhora's patch works correctly. Thank you so much @zimmerle and @victorhora. Can this patch be merged to the master branch? |
In the queue. I will try to do it today. Thank you for having it tested. |
|
thanks! just an additional bit: before patching, I wasn't able to get any auditlog for each 403 response code from the upstream server (I mean even if the request didn't match any disruptive action). idk if it could help. |
|
Maybe I'm misunderstanding the issue. I have cloned the fix-auditlog-170-branch. I'm not seeing phase 1 logs when running the CRS 3.2 with Nginx 1.17.8, mod security 3.0.4 Only the test rule:
Neither will log to modsec_audit.log Maybe not related, but I have tried to get the debug log without success. it stays at 0 bytes. Can you help me, please? |
|
@victorhora @zimmerle after using the patched version of the nginx connector, I've a problem with a rule that I can't understand well. Sending the following request, nginx closes the connection before sending any response headers... any idea? it's a little bit odd, isn't it? debug log: from the nginx error logs: |
|
P.S. removing the rule: |
|
Do you happens to have the debug logs from Nginx? |
|
that's a tail from the nginx start to the request (error_log level debug): |
|
It seems that ModSecurity is taking a disruptive action on phase:1; While found a disruptive action it communicates it to Nginx, using the Nginx modules chain. Internally at that phase of the request, Nignx has nothing to do except close the request as the headers were not crafted yet. It is good that we manage to promptly close a bad request without allocating further resources. The flip side is that the rule explicitly requests a 403. |
|
I'm going to say something that will not help, but it seems something introduced with the recent commit related to the audit_log issue |
|
Yep. Apparently, it was introduced by the last commit. It seems that the first intention was to really wait till a point were the status: could be delivered, respecting what is written on the rule. That was buggy. On @victorhora's approach - giving the use case - the status: could be ignored. I am still thinking about what would be the best approach here: (a) delivery the code informed on status action; (b) close the request as soon as possible (as it was about phase:1) -- I would prefer to not create a compilation flag for it. |
|
in my setup, I always need to inform the user-agent about a block action (with a landing page that explain why it has been blocked) |
|
@zimmerle |
|
@theMiddleBlue don't have an answer now. I am going to investigate it a little deeper tomorrow. @victorhora it will be good with we have a chance to investigate this together. |
|
Hey @zimmerle , any news on this one? |
Still on the backlog. We had no time to dig into this yet. |
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days |
|
Nope, please don't close this one. |
|
The "nostale" tag has been set for this one too. I'll have another tab on this one :) |
victorhora
added
nostale
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days |
|
Given the 'nostale' tag, this item should not have been closed by the bot. |
|
Definitely. |
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days |
|
Here, some activity Mr. bot. |
|
Probleme still there any solution? |
|
Hi. Are there any updates on when a fix may be available? Many thanks |
|
I believe this change should have improved the case described here #170 (comment): I'm seeing correct behaviour with current master of the nginx connector: |
|
with 1.0.3 still no messages in modsec_audit.log that stem from eg CRS. I have one testrule that gets logged as only rule is not logged in modsec_audit.log BTW, the first entry is only logged with error log-level info. Shouldn't that also be an "error". |
|
@logopk , Regarding your second snippet (from nginx's error.log) and the log levels of the two lines: No. The first line is not an 'error' because that rule is not the one disrupting the traffic. Rule 949110 is 'error' because it is the one causing the 'deny'. I don't understand the rest of what you are asking. Please provide more detail. |
|
@martinhsv to clarify what I wanted to ask. As the TO I don't see any entries in the modsec_audit log. Because this was supposed to be fixed I wanted to let you know that I don't see any improvement in v1.0.3. The second snippet above is not logged in modsec_audit log. So I do not find any information why a request is blocked (together with the missing "info" log above, as I had set the nginx error log-level to warn before). |
|
@logopk , "I don't see any entries in the modsec_audit log." I just ran with this rule only: with request: And it produced this in audit_log: That does indeed suggest that the issue originally reported here is fixed. I separately activated the two relevant CRS files and then ran: ... and 942100 and 949110 were both reported in the audit log. |
|
But why not the rules in CRS in my system? |
|
I'm going to plan to close this issue. It seems, at minimum, that the original issue that opened this ticket was resolved years ago. Based on the comment by @defanator a year-and-a-half ago, I'm assuming that even the related issue (no response headers) has been resolved. If I am mistaken about that, feel free to open a new issue with a full description of the problem in current versions (of ModSecurity with ModSecurity-nginx). @logopk: I am going to suggest you use the debug log (at level 9) to see what's happening. If you cannot figure it out, feel free to open a separate issue. But, if you do so, please use the issue template and provide as much information as possible (including the debug log). |
|
Just one last question: CRS sets all anomaly actions to log but no noauditlog crs-setup.conf defines as default: From debug log I see that 949110 is not logging to auditlog. Could it be that the default is not applied? modsec 2.9.4 in apache logs 949110 to modsec_audit.log. How did you get 949110 to log? ---- Edit: and I get this in modsec_audit.log |
|
"modsec 2.9.4 in apache logs" You stated you are using version 1.0.3 of this Connector (ModSecurity-nginx) -- which is for use with ModSecurity v3 with nginx. But now you say that you're running ModSecurity v2.9.4 with Apache?!? |
|
I also run an apache server that I use to compare the results. |
|
Closing per my earlier comments. @logopk : Feel free to open an issue if you cannot discern what is happening, but please provide all relevant information if you do. |
Description
Requests that are blocked in Phase 1 (Request Headers) do not appear in the audit log. The rules are evaluated correctly, and block calls as expected. However, because they do not appear in the audit log, I am blind to a significant portion of possible disruptive actions in the ModSecurity CRS.
The issue is not present in the ModSecurity image based on Apache HTTPD. That is why I am reporting the issue here.
Steps to reproduce
Start the ModSecurity CRS container based on NGINX.
In another terminal, tail the audit log.
In yet another terminal, first confirm that the audit log works by triggering a warning. Then, confirm that the audit log does not work when the request is blocked by a rule in phase:1.
You can repeat the steps above with the Apache-based image, and see that the Apache-based image does not have this problem.
Environment
I tried to track down what software versions were used in the Docker image, which turned out to be quite difficult.
The exact Docker image that I tested is
docker.io/owasp/modsecurity-crs:v3.2-modsec3-nginx. Its Dockerfile is located here, in theSpiderLabs/owasp-modsecurity-crsrepository.There, I can see that the image is based on
docker.io/owasp/modsecurity:3.0-nginx. The Dockerfile of that image appears to be located here, in theCRS-support/modsecurity-dockerrepository.This is where it gets hairy, because both ModSecurity and ModSecurity-nginx are checked out directly from the tip of the
masterbranch. Additionally, the base image used for this Dockerfile isdocker.io/library/nginx:1, which is a floating tag that gets updated whenever a new mainline NGINX version is pushed.Using
docker inspect, I was able to determine that the image was built on the 29th of May, 2019.From there, I could check the commit logs of both projects to guess what version of the software is actually in the images.
ModSecurity-nginx has not had any development since January of this year, so I can quite confidently say that the actual version in the container image is
d7101e13685e, the current tip of themasterbranch. That is itself a bit funny, because ModSecurity-nginx has not been officially released since the 20th of December, 2017, nearly two years ago.ModSecurity itself is more actively developed, but based on the container image's timestamp, the actual version seems to be
6d266fae8549, which was the tip of thev3/masterbranch at the time.Besides the versions being difficult to track down, this also means that the official ModSecurity image contains software versions that have not seen actual releases.
Finally, the NGINX version was fairy easily tracked down by looking at the embedded version info.
The text was updated successfully, but these errors were encountered: