Skip to content

ModSecurity 3 and NginX-Connector only logging with SecRuleEngine On #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aadlung opened this issue Sep 19, 2017 · 2 comments
Closed

ModSecurity 3 and NginX-Connector only logging with SecRuleEngine On #68

aadlung opened this issue Sep 19, 2017 · 2 comments
Assignees
@zimmerle

Comments

@aadlung
Copy link

aadlung commented Sep 19, 2017

Not sure where this fits best, hence I post it as duplicate from owasp-modsecurity/ModSecurity#1568

I've setup ModSecurity 3 including the nginx connector. If I turn it on for testing with SecRuleEngine On - I get the audit log, and debug log, and blocking requests if rules match.

If I just use SecRuleEngine DetectionOnly I do not get any audit or error log.

Is this "as designed", or anything that needs to be turned on in addition? Even test rules do not trigger any logs, even with SecAuditEngine On.

[4] Initializing transaction
[4] Transaction context created.
[4] Starting phase CONNECTION. (SecRules 0)
[9] This phase consists of 0 rule(s).
[4] Starting phase URI. (SecRules 0 + 1/2)
[4] Adding request argument (GET): name "testparam", value "test"
[4] Starting phase REQUEST_HEADERS.  (SecRules 1)
[9] This phase consists of 4 rule(s).
[4] (Rule: 1234) Executing operator "Contains" with param "test" against ARGS:testparam.
[9] Target value: "test" (Variable: ARGS:testparam)
[9] Matched vars updated.
[9] Rule contains a `pass' action
[4] Running [independent] (non-disruptive) action: log
[9] Saving transaction to logs
[4] Rule returned 1.
[4] Not running disruptive action: pass. SecRuleEngine is not On
[4] Running (non-disruptive) action: auditlog
[4] (Rule: 200000) Executing operator "Rx" with param "(?:application(?:/soap\+|/)|text/)xml" against REQUEST_HEADERS:Content-Type.
[4] Rule returned 0.
@zimmerle zimmerle self-assigned this Nov 20, 2017
@zimmerle
Copy link
Contributor

Hi @aadlung,

I've found scenarios where ModSecurity configuration was placed into a given location block and the site was configured elsewhere. In that scenario the configuration for ModSecurity won't be trigger because the end application was not configured withing ModSecurity. whenever there was an intervention, ModSecurity kept the request in its scope, therefore generating the logs.

Is that the case? Can you paste your configuration file? In our logs the requests stops in the request headers that is why I believe that your request was redirected elsewhere.

I am going to close the issue assuming that this is your scenario. But, please confirming by posting your configuration files.

@aadlung
Copy link
Author

aadlung commented Nov 20, 2017

Hello @zimmerle you are right. I configured ModSecurity in the server block, as I wanted to have it run "globally" - and below I included all the config location blocks (for PHP, images and so on).
So that's exactly your case, seems ModSecurity needs to configured in a block where the application requests are really "processed".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zimmerle @aadlung