Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
10GB ModSecurity File - Tons of 920100 Warnings. Need Help Understanding Rule Violation
See original GitHub issueCRS 3.3.2 (and 4.0.0) Paranoia Level: 1 ModSecurity 3.0.8 ModSecurity-nginx connector 1.0.3 Nginx 1.23.2 Ubuntu 22.04
CSR 920100 Warnings:
I had a question over at stackoverflow about this: https://stackoverflow.com/questions/74269998/10gb-modsecurity-file-tons-of-920100-warnings-need-help-understanding-rule-vi/74322954#74322954 . The person who answered says this is a false positive and recommended that I report it here. They provided a detailed confirmation with the regex as well.
Basically, almost every webpage loaded causes the same type of error. This is an example part of the log:
---5jn0CgkO---H-- ModSecurity: Warning. Matched "Operator Rx’ with parameter ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$' against variable REQUEST_LINE’ (Value: GET /sale/kenwood-kac-6402-by-download-mauritron-221328-264064/ HTTP/2.0' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "47"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /sale/kenwood-kac-6402-by-download-mauritron-221328-264064/ HTTP/2.0"] [severity "4"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "***.***.***.***"] [uri "/sale/kenwood-kac-6402-by-download-mauritron-221328-264064/"] [unique_id "166725616876.036760"] [ref "v0,72"]
I’m fairly unversed in CSR error analysis or regex, but was hoping there was a way to fix the root cause. It sounds like I will have to write a custom exception to hide the 10GB of warnings. Note, this doesn’t appear to be blocking users, but I had so many warnings showing up in my logs that all the disk space on the web server got used up and crashed everything.
Issue Analytics
- State:
- Created a year ago
- Comments:51 (25 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@peppies @airween @theseion @dune73
I suspected it was an issue with one of the PCRE dependencies, so in order to reduce variables, I decided to reinstall without using the ondrej repository. Now I have everything working with Nginx 1.23.2 ModSecurity 3.0.8 ModSecurity-nginx 1.0.3
Also I didn’t have to touch my config files under /etc/nginx/modsec (including coreruleset-3.3.4 left alone).
How I did it:
Remove ondrej repository sudo add-apt-repository --remove ppa:ondrej/nginx-mainline sudo apt update sudo apt install ppa-purge sudo ppa-purge ppa:ondrej/nginx-mainline sudo apt clean sudo apt autoremove sudo apt update
Remove nginx installed from ondrej repository sudo apt remove nginx sudo apt remove nginx-common
At this point there were some packages which showed error removing as still-in-use dependencies. List problem packages with: sudo apt list libpcre* --installed
For example my list included … libpcre16-3/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcre3-dev/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcre32-3/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcre3/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcrecpp0v5/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local]
Then for each, show available version from ubuntu repository, example:
sudo apt list libpcre16-3 -a Listing… Done libpcre16-3/jammy-updates,jammy-security,now 2:8.39-13ubuntu0.22.04.1 amd64 libpcre16-3/jammy 2:8.39-13build5 amd64
Downgrade to version from jammy-updates repository
sudo apt install libpcre16-3=2:8.39-13ubuntu0.22.04.1
Repeat for all (5 packages downgraded in my case)
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo “deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg]
http://nginx.org/packages/mainline/ubuntu
lsb_release -csnginx”| sudo tee /etc/apt/sources.list.d/nginx.list
echo -e “Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n”
| sudo tee /etc/apt/preferences.d/99nginx
sudo apt update sudo apt install nginx
apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre+±dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
sudo rm -rf /usr/local/modsecurity sudo rm -rf /usr/local/src/* cd /usr/local/src
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity git submodule init git submodule update ./build.sh ./configure make sudo make install cd …
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-1.23.2.tar.gz tar zxvf nginx-1.23.2.tar.gz
cd nginx-1.23.2 ./configure --with-compat --add-dynamic-module=…/ModSecurity-nginx make modules sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules cd …
Ha! Found it!
It’s a new check int ModSecurity v3.0.7, introduced in https://github.com/SpiderLabs/ModSecurity/commit/1aa7616c189cd12226c74755b35538f4937a135e.