Json log messages not received the dos-attack rule msg

[gmctl]

Describe the bug

JSON log messages not received the dos-attack rule msg;
the log of modsec_audit work well except for the log of dos-attack that it can intercept but not code the 912-dos-attack to log-messages.

A clear and concise description of what the bug is.

Logs and dumps

Output of:

1. DebugLogs (level 9)

2. AuditLogs

• modsec_audit.log

{"transaction":{"client_ip":"127.0.0.1","time_stamp":"Tue Oct  1 19:57:01 2019","server_id":"f40be80333c37672e8c192ce2843a64721701529","client_port":50482,"host_ip":"127.0.0.1","host_port":2380,"unique_id":"156997422142.938766","request":{"method":"GET","http_version":1.0,"uri":"/","headers":{"Host":"localhost:2380","User-Agent":"ApacheBench/2.3","Accept":"*/*"}},"response":{"http_code":403,"headers":{"Server":"nginx","Date":"Tue, 01 Oct 2019 23:57:01 GMT","Content-Length":"554","Content-Type":"text/html","Connection":"close"}},"producer":{"modsecurity":"ModSecurity v3.0.3 (Linux)","connector":"ModSecurity-nginx v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.1.0\""]},"messages":[]}}

3. Error logs

• nginx/error.log

2019/10/01 19:58:01 [error] 11#0: *761 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Eq' with parameter `1' against variable `IP:127.0.0.1_d9b252bcadfb7e5c254cd1395e8f7c230b1ae3c6::::DOS_BLOCK' (Value: `1' ) [file "/opt/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"] [line "123"] [id "912130"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-dos"] [hostname "127.0.0.1"] [uri "/"] [unique_id "156997428182.004145"] [ref ""], client: 127.0.0.1, server: waf_default, request: "GET / HTTP/1.0", host: "localhost:2380"

4. If there is a crash, the core dump file.

Notice: Be carefully to not leak any confidential information.

To Reproduce

Steps to reproduce the behavior:

A curl command line that mimics the original request and reproduces the problem. Or a ModSecurity v3 test case.

[e.g: curl "modsec-full/ca/..\..\..\..\..\..\/\etc/\passwd" or issue-394.json]

Expected behavior

A clear and concise description of what you expected to happen.

The json-log run well except for 912* dos rules, what can i do to make the log-msg to modsec-audit.log messages.

Server (please complete the following information):

• ModSecurity version (and connector): [e.g. ModSecurity v3.0.1 with nginx-connector v1.0.0]
• WebServer: [e.g. nginx-1.15.5]
• OS (and distro): [e.g. Linux, archlinux]
• centos7 + tengine2.3.2(nginx1.17)
• {"modsecurity":"ModSecurity v3.0.3 (Linux)","connector":"ModSecurity-nginx v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.1.0""]

Rule Set (please complete the following information):

• Running any public or commercial rule set? [e.g. SpiderLabs commercial rules]
• What is the version number? [e.g. 2018-08-11]

Additional context

Add any other context about the problem here.

[gmctl]

Is the matter phaser:1 log will not produced in JSON format Log.

[gmctl]

• modsec_audit.log

the other rule like 930110 runed will and code the intercepter reason.

{"transaction":{"client_ip":"127.0.0.1","time_stamp":"Tue Oct  1 20:13:48 2019","server_id":"f40be80333c37672e8c192ce2843a64721701529","client_port":51004,"host_ip":"127.0.0.1","host_port":2380,"unique_id":"156997522845.201161","request":{"method":"GET","http_version":1.1,"uri":"/?page=../","headers":{"Host":"127.0.0.1:2380","User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0","Cookie":"sid=Fe26.2**80d5adba0ce49a0f16ee14321ed57f4701b29c4455925bc3cf3049188d1ee157*i5Mr80O7SMjJbN8HD-4ung*e4MBwcuyR8f6YWlLFC-BxYW2p__3U-JWbtF28tty6DTUBgqOreNqE36mN6Z8ZIOsg954Pro33bOAG2uERb5F2KYt4fLMfzniFdPcIzZ-gvpT1m_4RCwo-gEi3nUzrOnJj7mnVPUYaIEBXxy71_tU1g**54b1b4666e0bf4266c49d5ff750d86cb331404b71f09c8050ea87b9186492384*83eKDEe7_hrOUwRKm8Fic_WLd2w93u2huQEGCq7qOrI","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Connection":"keep-alive","Upgrade-Insecure-Requests":"1"}},"response":{"http_code":302,"headers":{"Server":"nginx","Date":"Wed, 02 Oct 2019 00:13:48 GMT","Content-Length":"215","Content-Type":"text/html","Access-Control-Allow-Origin":"*","Connection":"keep-alive","Location":"/403_forbidden.html","Access-Control-Allow-Headers":"X-Requested-With"}},"producer":{"modsecurity":"ModSecurity v3.0.3 (Linux)","connector":"ModSecurity-nginx v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.1.0\""]},"messages":[{"message":"Path Traversal Attack (/../)","details":{"match":"Matched \"Operator `Pm' with parameter `..\\ ../' against variable `REQUEST_URI' (Value: `/?page=../' )","reference":"o7,3v4,10","ruleId":"930110","file":"/opt/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf","lineNumber":"52","data":"Matched Data: ../ found within REQUEST_URI: /?page=../","severity":"2","ver":"OWASP_CRS/3.1.0","rev":"","tags":[],"maturity":"0","accuracy":"0"}}]}}

[martinhsv]

Hello @gmctl

If I've understood you correctly, you're asking why CRS rule 912130 does not result in ModSecurity audit log output. The short answer is that the rule specifically has 'nolog' as one of its actions. Note also the comment before the rule: 'Block and track # of requests but don't log'. If you read the comments at the top of the file there's also a note about the reason ('to prevent a flood of alerts').

If you want to inquire about why CRS rules are structured the way they are, a better forum for that is the CRS project: https://github.com/SpiderLabs/owasp-modsecurity-crs

[gmctl]

@martinhsv yes, thank you!

[xx-zhang]

@majordaw i have found that the dos-attack log will produced if i don't set SecAuditLogFormat JSON; but i think there is many difference with JSON and ABFH log. what's the best way to set, can you give some advice.

[majordaw]

Hi @xx-zhang,

I haven't played with SecAuditLogFormat option yet. I guess you wanted to ask @martinhsv. ;)