Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Scanner detection not worked on modsecurity 3.x if SecRequestBodyAccess is Off

See original GitHub issue

Describe the bug

I have a little problem with moving from modsecurity 2.9.3 on Apache to modsecurity 3.0.4 on nginx. For checking I do request with curl like: curl -H "User-Agent: Nikto" [my_host]

In my configuration i use “SecRequestBodyAccess Off”. This needed to make fastest checks and go further.

When I use ruleset with modsecurity 2.9.3 on Apache with “SecRequestBodyAccess Off” all works fine. Rule with id 913100 from REQUEST-913-SCANNER-DETECTION.conf block my request. When I use modsecurity 3.0.4 on nginx this rule doesn’t block my request. Seems like rule 913100 don’t be executed in this case at all (based on modsecurity logs: “[160585442791.933958] [/] [4] Request body processing is disabled”).

Background.

As far as i could see behaviour of SecRequestBodyAccess was changed in modsecurity 3.x against modsecurity 2.x. At modsecurity 2 this parameter just avoid reading of request body, but rules at phase 2 works if they don’t depend on request body. But since version 3 if this parameter if Off, any rules in phase 2 just dropped. For some reason rules in REQUEST-913-SCANNER-DETECTION.conf file checks REQUEST_HEADERS, but placed to phase 2. Not sure why, maybe someone can help with it?

Proposal.

Seems like there can be fixed with moving this rules (that checks only request headers, but not request body) from phase 2 to phase 1. I could try to make PR about it if this is fine from your point of view.

Steps to reproduce

Use modsecurity 3.0.4 with nginx
Add “SecRequestBodyAccess Off” to modsecurity configuration
Make request: curl -H "User-Agent: Nikto" [my_host]
Request passed, nothing in modsecurity audit log.

Expected behaviour

Request is blocked just like in case with apache and modsecurity 2.x.

Actual behaviour

Request passed, nothing in modsecurity audit log.

Your Environment

Ruleset version: 3.0.2, also checked on 3.4/dev branch with same result. Paranoia level: 1 ModSecurity version: 3.0.4 nginx version: nginx/1.18.0 OS: CentOS-7

Issue Analytics

State:
Created 3 years ago
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

airweencommented, Dec 4, 2020

Hi @SandakovMM,

I checked ruleset with your fix. Original problem is fixed as far as I could see. With this ruleset I get messages from rule 913100 in audit log. Thank you for a fix again 😃

You’re welcome - it’s good to see that helped to you.

But there is another problem. When I using ruleset with modsecurity 2.9.4 on apache, request is blocked with code 403. But not in case with modsecurity 3.x + nginx. I made a little research about it. Seems like base problem is same: phase 2 rules not executed. Based on audit log from apache, I found out that request is blocked by rule with id 949110 from REQUEST-949-BLOCKING-EVALUATION.conf.

Yep, I see your pain. But I’m afraid we can’t help it immediately.

When i moved this rule and some another connected rules("id:949060, "id:949061, "id:949062, "id:949063) to phase 1 problem is gone. But as far as i understood this is totally wrong decision, because rule 949110 needed to use anomaly score from phase 2 such as from phase 1. So if we moved it to phase 1, there is no rule that can react to anomaly score at phase 2. Am i right?

Yes, you’re absolutely right.

I’ve added a comment to the issue at ModSecurity. If you want to follow that thread, you can subscribe it.

Also i must add a little context about crs-setup.conf. I using this rules as default action:
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
If i remove them with:
# SecDefaultAction "phase:1,log,auditlog,deny,status:403"
# SecDefaultAction "phase:2,log,auditlog,deny,status:403"
requests is going to be blocked on 913100 failed as expected.

Seems like this is question can be moved to another issue, whichever is more convenient for you.

We (CRS team) will have the meeting next Monday, hope we can discuss this request.

1reaction

SandakovMMcommented, Dec 4, 2020

Hooray! Thank you very much @airween

Top Results From Across the Web

Disabling Request Body Access in ModSecurity 3 Leads to ...

If you are running ModSecurity 3 with request body access disabled, then I have some bad news. Please sit down, this will be...

ModSecurity Handbook: Getting Started: Chapter 3. ...

Response body monitoring works best to detect information leakage, configuration errors, traces of attacks (successful or not), and data leakage in the cases ......

apache2 - Fail2Ban and modsecurity not working

I'm curious if there's a better solution to the problem but that quick fix solved it for me. New Fail2Ban regex: failregex =...

Apache Mod Security is not being disabled for certain path

i have enabled Comodo ModSecurity vendor rules in WHM and one rule is blocking me. So i added new rule that should disable...

mod security - Modsecurity not check POST data even ...

Modsecurity by default has parameter "SecRuleEngine" set to "DetectionOnly" and work in monitor mode. Must be set to "On".