I am running an web portal on Lamp stack. I am facing an issue with a export button functionality when i click on the button it redirects to Apache test page. When i comment the #Include modsecurity.d/base_rules/*.conf in mod_security it works fine.
I have added value -> SecDebugLogLevel 9 and see there are several logs created with lots of rules. Can some one explain me how to find the exact rule which is blocking my functionality?
Rules that fire will be in the standard Apache Error log and you should see an [id: XXXX] field which is the rule id that fired (950001 in this example) and the config file where that rule was defined (/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf in this example):
[Mon May 09 09:15:06.253373 2016] [-:error] [pid 25094:tid 140713241073408] [client 123.123.123.123:52197] [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4| ..." at ARGS:utm_campaign. [file "/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "125"] [id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: field( found within ARGS:utm_campaign:blah blah blaj"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.exmaple.com"] [uri "/"] [unique_id "VzBHCn8AAAEAAGIGrQcAAACE"]
More detail with be in the ModSecurity Audit Log (providing it's been configured) where you get the full detail of the request and in section H you see the seem line as above which also includes the [id:XXXX] which fired:
--bc9c8737-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4| ..." at ARGS:utm_campaign. [file "/www/apache2/conf/modsecurity.d/crs/owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "125"] [id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: field( found within ARGS:utm_campaign: blah blah blah"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Lots of detail will be in ModSecurity debug log (again provided it's been configured), but that runs through each rule so difficult to see the one that actually fired! To be honest you shouldn't be running with debug on unless you've a specific problem to debug as it logs a lot of data for every request.
