ModSecurity (in DetectionOnly mode) is not giving useful Logs/Warnings

Solution 1:

Core Rule Set Dev on Duty here. In your log output for 403 I see that you have ModSecurity configured with the OWASP Core Rule Set.

Your ModSecurity configuration seems to be correct, you have the correct SecAuditLogParts configured.

When I test this with the official CRS Docker container with exactly the same ModSecurity configuration I get the following output:

{"transaction":{"client_ip":"172.x.x.x","time_stamp":"Wed Jan 19 19:51:47 2022","server_id":"364905fd334fdd694cd3e0d02976eb3eb63f3790","client_port":46202,"host_ip":"172.x.x.x","host_port":80,"unique_id":"1642621907","request":{"method":"GET","http_version":1.1,"uri":"/foo?username=1'%20or%20'1'%20=%20'","headers":{"Host":"localhost","User-Agent":"curl/7.58.0","Accept":"*/*"}},"response":{"body":"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>\n","http_code":404,"headers":{"Server":"nginx/1.20.1","Date":"Wed, 19 Jan 2022 19:51:47 GMT","Content-Length":"233","Content-Type":"text/html","Access-Control-Allow-Origin":"*","Connection":"keep-alive","Access-Control-Allow-Credentials":"true"}},"producer":{"modsecurity":"ModSecurity v3.0.5 (Linux)","connector":"ModSecurity-nginx v1.0.2","secrules_engine":"DetectionOnly","components":["OWASP_CRS/3.4.0-dev\""]},"messages":[{"message":"","details":{"match":"detected SQLi using libinjection.","reference":"v18,13","ruleId":"942100","file":"/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf","lineNumber":"46","data":"","severity":"0","ver":"OWASP_CRS/3.4.0-dev","rev":"","tags":[],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 5)","details":{"match":"Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )","reference":"","ruleId":"949110","file":"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"139","data":"","severity":"2","ver":"OWASP_CRS/3.4.0-dev","rev":"","tags":["${MODSEC_TAG}","application-multi","language-multi","platform-multi","attack-generic"],"maturity":"0","accuracy":"0"}}]}}

The difference between my and your output is:

• Your messages array is empty
• Components is empty as well

In my output I see the components: "OWASP_CRS/3.4.0-dev"" And the messages array contains two messages: one is the violated CRS rule 942100 and the blocking rule 949110.

As we see in the response from today, which shows a ModSecurity AuditLog in SecAuditLogFormat Native instead of SecAuditLogFormat JSON, the violated rules should be listed in SecAuditLogParts part H.

To confirm this I tested it in my environment and I can switch off the messages part with exactly this part H.

So I investigated further and I found some ModSecurity issues related to your problem.

• https://github.com/SpiderLabs/ModSecurity-nginx/pull/175
• https://github.com/SpiderLabs/ModSecurity/issues/2000

These do not 1:1 explain your problem. A difference I see between the CRS rules is: The SQL injection rule that is triggered by your curl test is 942100 which has action block (not logged): https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L46

The blocking evaluation rule that blocks the request with id 949110 has action deny: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-949-BLOCKING-EVALUATION.conf#L139.

As I said above this does not 1:1 explain your problem. But I suggest that you upgrade to the latest versions and test it again. Your post is 11 months old and the problem could have been resolved in the meantime because we see some ModSecurity issues and pull request related to this problem.