Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there someone meet this problem that modsec_audit.log not show when detect 403 forbedden #220

Closed
xx-zhang opened this issue Sep 16, 2020 · 6 comments
Closed

Is there someone meet this problem that modsec_audit.log not show when detect 403 forbedden #220

xx-zhang opened this issue Sep 16, 2020 · 6 comments
Assignees
@zimmerle

Comments

@xx-zhang
Copy link

have you see the modsec_audit.log not show. such as

docker run -it --rm --name=ngx  -p 8000:80  owasp/modsecurity-crs:3.3-nginx

docker exec -it  ngx  tail -f /var/log/modsec_audit.log

and then we can see if we curl http://192.168.33.118:8080/?page=../../test_rfi , then 403 forbben but the modsec_audit log not show ....
whats the mater ?.

best with to you.
@xx-zhang
Copy link
Author

i have make modsecurity-nginx v1.0.1 -> 1.0.0 and solve that problem. but i set detectOnly no use

{"transaction":{"client_ip":"192.168.33.1","time_stamp":"Thu Sep 17 14:58:45 2020","server_id":"729f37d2889d305a54228dc5b632fcc73da051b3","client_port":27298,"host_ip":"192.168.33.1","host_port":8080,"unique_id":"160032592533.438534","request":{"method":"GET","http_version":1.1,"uri":"/?page=../../k111","body":"","headers":{"Host":"192.168.33.13:8080","Connection":"keep-alive","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Accept-Encoding":"gzip, deflate","Accept-Language":"zh-CN,zh;q=0.9"}},"response":{"http_code":403,"headers":{"Server":"nginx","Date":"Thu, 17 Sep 2020 06:58:45 GMT","Content-Length":"548","Content-Type":"text/html","Connection":"keep-alive"}},"producer":{"modsecurity":"ModSecurity v3.0.3 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"DetectionOnly","components":["OWASP_CRS/3.3.0\""]},"messages":[{"message":"Path Traversal Attack (/../)","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5 (400 characters omitted)' against variable `ARGS:page' (Value: `../../k111' )","reference":"o9,4v4,17o2,4v11,10","ruleId":"930100","file":"/apps/nginx/conf/modsec/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf","lineNumber":"29","data":"Matched Data: /../ found within ARGS:page: ../../k111","severity":"2","ver":"OWASP_CRS/3.3.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-lfi","paranoia-level/1","OWASP_CRS","capec/1000/255/153/126"],"maturity":"0","accuracy":"0"}}]}}

@xx-zhang
Copy link
Author

image

@zimmerle
Copy link
Contributor

Hi @xx-zhang,

What is the version of yours libModSecurity? Have you enabled the AuditLog?

@zimmerle zimmerle self-assigned this Sep 17, 2020
@xx-zhang
Copy link
Author

@zimmerle using ur owasp docker . the docker image owasp/modsecurity-crs:3.3-nginx ;

all the latest . modsecurity 304 modsecurity-nginx 1.0.1 nginx 1.17.9 crs330

@xx-zhang
Copy link
Author

sorry @zimmerle i meet the second problem is modsecurity304, nginx1.18, modsecurity-nginx1.0.0 . thank you

@xx-zhang
Copy link
Author

redirect owasp-modsecurity/ModSecurity#2237

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zimmerle @xx-zhang