Apache error_log not showing "ModSecurity: Access denied" when they exist in modsec_audit.log

[BassTeQ]

Mod Security 3

I've an issue where the apache error_log isn't containing the ModSecurity: Access denied record as shown in the modsec_audit.log.
If I do not change any config, and just use modsecurity2, then it works fine, and the error_log contains the Access denied record
Any ideas why it missing?

Operating System
Bitnami package for WordPress 6.6.2-11
Debian GNU/Linux 12 (bookworm)

Curl Command
curl https://IP/?foo=/etc/passwd&bar=/bin/sh

modsec_audit.log

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)' against variable `REQUEST_HEADERS:Host' (Value: `1.2.3.4' ) [file "/etc/crs4/rules/REQUEST-920-PROTOCOL-EN FORCEMENT.conf"] [line "694"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "1.2.3.4"] [severity "4"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag " language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "removed.com"] [uri "/"] [unique_id "174277361972.139 763"] [ref "o0,12o0,12v49,12"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: `/etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id  "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag " language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "removed.com"] [uri "/"] [unique_id "174277361972.13976 3"] [ref "o1,10v10,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "596"] [id "9321 60"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-mu lti"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "removed.com"] [uri "/"] [unique_id "17427736 1972.139763"] [ref "o1,10v10,11t:cmdLine,t:normalizePatho1,6v26,7t:cmdLine,t:normalizePath"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `18' ) [file "/etc/crs4/rules/REQUEST-949-BLOCKING-EVALUATION.conf "] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 18)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]  [hostname "removed.com"] [uri "/"] [unique_id "174277361972.139763"] [ref ""]

error_log

[Mon Mar 24 10:46:59.523585 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:^([\\d.]+|\\[[\\da-f:]+\\]|[\\da-f:]+)(:[\\d]+)?$)' against v ariable `REQUEST_HEADERS:Host' (Value: `1.2.3.4' ) [file "/etc/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "694"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "1.2.3.4"]  [severity "4"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/ 1000/210/272"] [tag "PCI/6.5.10"] [hostname "removed.com"] [uri "/"] [unique_id "174277361972.139763"] [ref "o0,12o0,12v49,12"]
[Mon Mar 24 10:46:59.524888 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: ` /etc/passwd' ) [file "/etc/crs4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "97"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [sever ity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/15 3/126"] [tag "PCI/6.5.4"] [hostname "removed.com"] [uri "/"] [unique_id "174277361972.139763"] [ref "o1,10v10,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
[Mon Mar 24 10:46:59.525165 2025] [:error] [pid 600957:tid 601054] [client X.X.X.X:61522] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/b in/sh' ) [file "/etc/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "596"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin /sh"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/ 1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "removed.com"] [uri "/"] [unique_id "174277361972.139763"] [ref "o1,10v10,11t:cmdLine,t:normalizePatho1,6v26,7t:cmdLine,t:normalizePath"]

Rule Set (please complete the following information):
coreruleset-4.11.0-minimal

Thank you!

[dune73]

Please tell us about your exact engine version and the platform. As this seems to be ModSec 3, the connector version is also important.

And finally: A curl call to reproduce the behavior shown above would be perfect.

Also: This was all part of the bug template. Yet you removed it.

[BassTeQ]

Hi @dune73 , thank you, I've updated my original post with those details.

Yes it with Mod Security 3

LoadModule security3_module modules/mod_security3.so

How can I check the connector version?

Cheers

[airween]

Yes it with Mod Security 3

@BassTeQ, this is a very bad news.

Have you seen this notification? If you want to use Apache, please move to mod_security2.

[BassTeQ]

Hi @airween, thanks. I was experimenting with v3 due to an issue with v2, which I think I've only just now resolved after a rebuild, I'm just running some tests.

[airween]

@BassTeQ,

thanks - is there anything that we can do here? If not, could we close this issue?

[BassTeQ]

@airween would you like me to build the latest v3 and run a test to see if the issue persists?

[airween]

@airween would you like me to build the latest v3 and run a test to see if the issue persists?

Every tests are welcome and big help, so yes, thank you.

But I think the result won't be clear, I mean if there will be any issue, we can't decide what is the root cause: library or the connector. But let's see.

[BassTeQ]

I've run into some issues trying to get the new version working with my stack, so can't do any further testing.
Thanks for the assistance!
Cheers