5

I have configured modsecurity-nginx connector on Kubernetes Nginx Controller.

Currently, my objective to use ModSecurity WAF is to implemented in DetectionOnly mode as I don't want to start blocking everything right away. So to fulfil that I used below configuration in my Controller ConfigMaps.

enable-modsecurity: "true"
  modsecurity-snippet: |
    SecRuleEngine DetectionOnly
    SecAuditEngine On
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogFormat JSON
    SecAuditLogType Serial
    SecAuditLog /dev/stdout

To test this, I tried SQL injection attack in which I inserted a SQL query from client to my test application. But ModSecurity did not give any warning or any useful information in the logs which tells that an SQL query was inserted in the application. Below is the request which i sent and got logs respectively :

$ curl -ks -o /dev/null -w ‘%{http_code}’ “https://test-ingress-nginx.example.com/foo?username=1'%20or%20'1'%20=%20'”

Output : 404

Logs :
----    
{“transaction”:{“client_ip”:“192.xxx.xxx.xx",“time_stamp”:“Tue Feb 16 07:44:10 2021",“server_id”:“995f188ad543e6fcbcdbfb4c7a2c67327xxxxx",“client_port”:59455,“host_ip”:“10.x.xxx.xxx”,“host_port”:443,“unique_id”:“161346145098.924xxx",“request”:{“method”:“GET”,“http_version”:2.0,“uri”:“/foo?username=1'%20or%20'1'%20=%20'“,”headers”:{“host”:“test-ingress-nginx.example.com”,“user-agent”:“curl/7.64.1",“accept”:“*/*“}},“response”:{“body”:“<!DOCTYPE HTML PUBLIC \“-//IETF//DTD HTML 2.0//EN\“>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL /foo was not found on this server.</p>\n<hr>\n<address>Apache/2.4.25 (Debian) Server at test-ingress-nginx.example.com Port 80</address>\n</body></html>\n”,“http_code”:404,“headers”:{“Server”:“”,“Server”:“”,“Date”:“Tue, 16 Feb 2021 07:44:10 GMT”,“Content-Length”:“306”,“Content-Type”:“text/html; charset=iso-8859-1”,“Connection”:“close”,“Strict-Transport-Security”:“max-age=15724800; includeSubDomains”}},“producer”:{“modsecurity”:“ModSecurity v3.0.4 (Linux)“,”connector”:“ModSecurity-nginx v1.0.1”,“secrules_engine”:“DetectionOnly”,“components”:[]},“messages”:[]}}

And If I change SecRuleEngine DetectionOnly to SecRuleEngine On then the error code changes and the logs shows why the request got blocked :

$ curl -ks -o /dev/null -w ‘%{http_code}’ “https://test-ingress-nginx.example.com/foo?username=1'%20or%20'1'%20=%20'”

Output : 403

Logs :
----
2021/02/16 07:35:11 [error] 8100#8100: *25411553 [client 192.xxx.xxx.xx] ModSecurity: Access denied with code 403 (phase 2). Matched “Operator `Ge’ with parameter `5' against variable `TX:ANOMALY_SCORE’ (Value: `5' ) [file “/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80"] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)“] [data “”] [severity “2"] [ver “OWASP_CRS/3.3.0”] [maturity “0"] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “10.x.xxx.xxx"] [uri “/foo”] [unique_id “16134609114.611xxx"] [ref “”], client: 192.xxx.xx.xx, server: test-ingress-nginx.example.com, request: “GET /foo?username=1'%20or%20'1'%20=%20' HTTP/2.0", host: “test-ingress-nginx.example.com”

Issue : Is there a way I can get some useful information in the ModSecurity Logs, when I enable ModSecurity in Detection Only Mode, so that I can identify what kind of requests/threat are coming to my application and hence start writing Blocking rule for them.

Shourabh
  • 51
  • 3

2 Answers2

2

Core Rule Set Dev on Duty here. In your log output for 403 I see that you have ModSecurity configured with the OWASP Core Rule Set.

Your ModSecurity configuration seems to be correct, you have the correct SecAuditLogParts configured.

When I test this with the official CRS Docker container with exactly the same ModSecurity configuration I get the following output:

{"transaction":{"client_ip":"172.x.x.x","time_stamp":"Wed Jan 19 19:51:47 2022","server_id":"364905fd334fdd694cd3e0d02976eb3eb63f3790","client_port":46202,"host_ip":"172.x.x.x","host_port":80,"unique_id":"1642621907","request":{"method":"GET","http_version":1.1,"uri":"/foo?username=1'%20or%20'1'%20=%20'","headers":{"Host":"localhost","User-Agent":"curl/7.58.0","Accept":"*/*"}},"response":{"body":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>\n","http_code":404,"headers":{"Server":"nginx/1.20.1","Date":"Wed, 19 Jan 2022 19:51:47 GMT","Content-Length":"233","Content-Type":"text/html","Access-Control-Allow-Origin":"*","Connection":"keep-alive","Access-Control-Allow-Credentials":"true"}},"producer":{"modsecurity":"ModSecurity v3.0.5 (Linux)","connector":"ModSecurity-nginx v1.0.2","secrules_engine":"DetectionOnly","components":["OWASP_CRS/3.4.0-dev\""]},"messages":[{"message":"","details":{"match":"detected SQLi using libinjection.","reference":"v18,13","ruleId":"942100","file":"/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf","lineNumber":"46","data":"","severity":"0","ver":"OWASP_CRS/3.4.0-dev","rev":"","tags":[],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 5)","details":{"match":"Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )","reference":"","ruleId":"949110","file":"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"139","data":"","severity":"2","ver":"OWASP_CRS/3.4.0-dev","rev":"","tags":["${MODSEC_TAG}","application-multi","language-multi","platform-multi","attack-generic"],"maturity":"0","accuracy":"0"}}]}}

The difference between my and your output is:

  • Your messages array is empty
  • Components is empty as well

In my output I see the components: "OWASP_CRS/3.4.0-dev"" And the messages array contains two messages: one is the violated CRS rule 942100 and the blocking rule 949110.

As we see in the response from today, which shows a ModSecurity AuditLog in SecAuditLogFormat Native instead of SecAuditLogFormat JSON, the violated rules should be listed in SecAuditLogParts part H.

To confirm this I tested it in my environment and I can switch off the messages part with exactly this part H.

So I investigated further and I found some ModSecurity issues related to your problem.

These do not 1:1 explain your problem. A difference I see between the CRS rules is: The SQL injection rule that is triggered by your curl test is 942100 which has action block (not logged): https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L46

The blocking evaluation rule that blocks the request with id 949110 has action deny: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-949-BLOCKING-EVALUATION.conf#L139.

As I said above this does not 1:1 explain your problem. But I suggest that you upgrade to the latest versions and test it again. Your post is 11 months old and the problem could have been resolved in the meantime because we see some ModSecurity issues and pull request related to this problem.

franbuehler
  • 435
  • 2
  • 8
0

I think you should get another related log:

For example, to see modsecurity logs in my case are here /var/log/modsec_audit.log

test.example.com.com XX.XX.XX.XX - [19/Jan/2022:15:21:55 +0000] "GET /?username=%27%20or%20%271%27%20=%20%27 HTTP/2.0" 302 34 - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36" 164260571591.117736 - /var/log/audit//20220119/20220119-1521/20220119-152155-164260571591.117736 0 2445.000000 md5:ce36eaa04f4b030ca311b4a99c8595ef

If you check this log /var/log/audit//20220119/20220119-1521/20220119-152155-164260571591.117736, you will see the explanation:

---OgrdNLAz---A--
[19/Jan/2022:15:21:55 +0000] 164260571591.117736 XX.XX.XX.XX 48250 XX.XX.XX.XX 443
---OgrdNLAz---B--
GET /?username=%27%20or%20%271%27%20=%20%27 HTTP/2.0
sec-fetch-user: ?1
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
sec-fetch-site: none
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
sec-ch-ua-mobile: ?0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-dest: document
sec-fetch-mode: navigate
host: test.example.com
accept-encoding: gzip, deflate, br
cookie: R_PCS=light; R_LOCALE=en-us; R_REDIRECTED=true; CSRF=4ae16bab4b; R_SESS=token-8tbxk:fbsq7zll8455gmbnlwkngcxvlztp2887j548cnkshc9q5vc9k5hb9r
accept-language: es-AR,es;q=0.9,pt-BR;q=0.8,pt;q=0.7,en-US;q=0.6,en;q=0.5,es-419;q=0.4

---OgrdNLAz---D--

---OgrdNLAz---E--
<a href="/dashboard/">Found</a>.\x0a\x0a

---OgrdNLAz---F--
HTTP/2.0 302
Server:
Server:
Date: Wed, 19 Jan 2022 15:21:55 GMT
Content-Length: 34
Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
Connection: close
Location: /dashboard/
X-Api-Cattle-Auth: true
Strict-Transport-Security: max-age=15724800; includeSubDomains

---OgrdNLAz---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:username: ' or '1' = '"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XX.XX"] [uri "/"] [unique_id "164260571591.117736"] [ref "v15,12"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "XX.XX.XX.XX"] [uri "/"] [unique_id "164260571591.117736"] [ref ""]

---OgrdNLAz---I--

---OgrdNLAz---J--

---OgrdNLAz---Z--
mijhael3000
  • 113
  • 1
  • 7