Hi,
I'm getting multiple audit logs entries without the reason for blocking, there is no data present in "messages":[ ] parameter. Please help me resolve this issue.
{
"transaction":{
"client_ip":"192.168.1.137",
"time_stamp":"Fri Jul 13 07:10:50 2018",
"server_id":"cc8b35e4356e8b965588d667f4e06d0e2756f572",
"client_port":42604,
"host_ip":"test.site",
"host_port":0,
"id":"153146585098.376947",
"request":{
"method":"POST",
"http_version":1.1,
"uri":"/bank/login.aspx",
"headers":{
"Referer":"http://test.site/bank/login.aspx",
"Connection":"close",
"Cookie":"ASP.NET_SessionId=ne0ztdnv1ffdz055pofjbz55; amSessionId=31291236040; amUserInfo=UserName=&Password=; amUserId=1; lang=english",
"Accept-Encoding":"gzip, deflate",
"DNT":"1",
"User_Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8",
"Host":"test.site",
"Accept-Language":"en-US,en;q=0.5",
"Content-Length":"69",
"Upgrade-Insecure-Requests":"1",
"Content-Type":"application/x-www-form-urlencoded"
}
},
"response":{
"http_code":500,
"headers":{
"Transfer-Encoding":"chunked",
"Transfer-Encoding":"chunked",
"Transfer-Encoding":"chunked",
"Cache-Control":"no-cache",
"Cache-Control":"no-cache",
"Cache-Control":"no-cache",
"Cache-Control":"no-cache",
"Pragma":"no-cache",
"Pragma":"no-cache",
"Pragma":"no-cache",
"Pragma":"no-cache",
"Content-Type":"text/html",
"Content-Type":"text/html",
"Content-Type":"text/html",
"Content-Type":"text/html",
"Expires":"-1",
"Expires":"-1",
"Expires":"-1",
"Expires":"-1",
"Server":"Microsoft-IIS/8.0",
"X-AspNet-Version":"2.0.50727",
"X-AspNet-Version":"2.0.50727",
"X-AspNet-Version":"2.0.50727",
"X-AspNet-Version":"2.0.50727",
"Connection":"close",
"Connection":"close",
"Connection":"close",
"Date":"Fri, 13 Jul 2018 08:09:51 GMT",
"X-Powered-By":"ASP.NET",
"X-Powered-By":"ASP.NET",
"X-Powered-By":"ASP.NET",
"X-Powered-By":"ASP.NET"
}
},
"producer":{
"modsecurity":"ModSecurity v3.0.2 (Linux)",
"connector":"ModSecurity-Apache v0.1.1-beta",
"secrules_engine":"Enabled",
"components":[
"OWASP_CRS/2.2.9\""
]
},
"messages":[
]
}
}
If you change SecAuditLogFormat to "Native" does it make any difference? Can you see the Messages?
I'm getting the similar error in Native format also. Please check the log below.
[20/Aug/2018:12:23:00 +0530] 15347479804.942686 115.16.219.2 5992 test.site 0
---ESG7C1mD---B--
POST /bank/login.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://test.site/bank/login.aspx
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=xngfin45wfxrma45jj23iy55; amSessionId=4464118022; amUserId=1
Content-Length: 68
Accept-Language: en-US,en;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Host: test.site
Connection: close
Upgrade-Insecure-Requests: 1
---ESG7C1mD---D--
---ESG7C1mD---E--
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\x0d\x0a<html xmlns="http://www.w3.org/1999/xhtml">\x0d\x0a<head>\x0d\x0a<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>\x0d\x0a<title>500 - Internal server error.</title>\x0d\x0a<style type="text/css">\x0d\x0a<!--\x0d\x0abody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\x0d\x0afieldset{padding:0 15px 10px 15px;} \x0d\x0ah1{font-size:2.4em;margin:0;color:#FFF;}\x0d\x0ah2{font-size:1.7em;margin:0;color:#CC0000;} \x0d\x0ah3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \x0d\x0a#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;\x0d\x0abackground-color:#555555;}\x0d\x0a#content{margin:0 0 0 2%;position:relative;}\x0d\x0a.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a</head>\x0d\x0a<body>\x0d\x0a<div id="header"><h1>Server Error</h1></div>\x0d\x0a<div id="content">\x0d\x0a <div class="content-container"><fieldset>\x0d\x0a <h2>500 - Internal server error.</h2>\x0d\x0a <h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>\x0d\x0a </fieldset></div>\x0d\x0a</div>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a\x0d\x0a\x0d\x0a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\x0d\x0a\x0d\x0a<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >\x0d\x0a<head id="_ctl0_head"><title>\x0d\x0a\x09Aloro Mutal: Server Error\x0d\x0a</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><link href="../style.css" rel="stylesheet" type="text/css" /></head>\x0d\x0a<body style="margin-top:5px;">\x0d\x0a\x0d\x0a<div id="header" style="margin-bottom:5px; width: 99%;">\x0d\x0a <form id="frmSearch" method="get" action="/search.aspx">\x0d\x0a\x09 <table width="100%" border="0" cellpadding="0" cellspacing="0">\x0d\x0a\x09\x09 <tr>\x0d\x0a\x09\x09 <td rowspan="2"><a id="_ctl0_HyperLink1" href="../default.aspx" style="height:80px;width:183px;"><img src="../images/logo.gif" border="0" /></a></td>\x0d\x0a\x09\x09\x09 <td align="right" valign="top">\x0d\x0a \x09\x09\x09 <a id="_ctl0_LoginLink" title="Please click here to sign out of the Online Banking application. You may also want to close your browser window." href="logout.aspx" style="color:Red;font-weight:bold;">Sign Off</a> | <a id="_ctl0_HyperLink3" href="../default.aspx?content=inside_contact.htm">Contact Us</a> | <a id="_ctl0_HyperLink4" href="../feedback.aspx">Feedback</a> | <label for="txtSearch">Search</label>\x0d\x0a <input type="text" name="txtSearch" id="txtSearch" accesskey="S" />\x0d\x0a <input type="submit" value="Go" />\x0d\x0a\x09\x09\x09 </td>\x0d\x0a\x09\x09 </tr>\x0d\x0a\x09\x09 <tr>\x0d\x0a\x09\x09\x09 <td align="right" style="background-image:url(/images/gradient.jpg);padding:0px;margin:0px;"><img id="_ctl0_Image1" src="../images/header_pic.jpg" border="0" style="height:60px;width:354px;" /></td>\x0d\x0a\x09\x09 </tr>\x0d\x0a\x09 </table>\x0d\x0a\x09</form>\x0d\x0a</div>\x0d\x0a\x0d\x0a<div id="wrapper" style="width: 99%;">\x0d\x0a \x0d\x0a\x0d\x0a<div class="err" style="width: 99%;">\x0d\x0a\x0d\x0a<h1>An Error Has Occurred</h1>\x0d\x0a\x0d\x0a<h2>Summary:</h2>\x0d\x0a\x0d\x0a<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'username = 'adminc8wwl%>ro857'/"<q2oio' AND password = 'admin''.\x0d</span></b></p>\x0d\x0a\x0d\x0a<h2>Error Message:</h2>\x0d\x0a\x0d\x0a<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'username = 'adminc8wwl%>ro857'/"<q2oio' AND password = 'admin''.\x0d\x0a at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)\x0d\x0a at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)\x0d\x0a at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)\x0d\x0a at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)\x0d\x0a at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)\x0d\x0a at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)\x0d\x0a at System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)\x0d\x0a at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)\x0d\x0a at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)\x0d\x0a at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, String srcTable)\x0d\x0a at Altoro.Authentication.ValidateUser(String uName, String pWord) in c:\downloads\AloroMutal_v6\website\bank\login.aspx.cs:line 68\x0d\x0a at Aloro.Authentication.Page_Load(Object sender, EventArgs e) in c:\downloads\AloroMutual_v6\website\bank\login.aspx.cs:line 33\x0d\x0a at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)\x0d\x0a at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)\x0d\x0a at System.Web.UI.Control.OnLoad(EventArgs e)\x0d\x0a at System.Web.UI.Control.LoadRecursive()\x0d\x0a at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)</span></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a<div id="footer" style="width: 99%;">\x0d\x0a <a id="_ctl0_HyperLink5" href="../default.aspx?content=privacy.htm">Privacy Policy</a>\x0d\x0a | \x0d\x0a <a id="_ctl0_HyperLink6" href="../default.aspx?content=security.htm">Security Statement</a>\x0d\x0a | \x0d\x0a © 2018 Aloro Mutal, Inc.\x0d\x0a\x0d\x0a <div class="disclaimer">\x0d\x0a The Aloro Mutal website is published by atchfire, Inc. for the sole purpose of\x0d\x0a demonstrating the effectiveness of atchfire products in detecting web application\x0d\x0a vulnerabilities and website defects. This site is not a real banking site. Similarities,\x0d\x0a if any, to third party products and/or websites are purely coincidental. This site is\x0d\x0a provided "as is" without warranty of any kind, either express or implied. atchfire does\x0d\x0a not assume any risk in relation to your use of this website. For additional Terms of Use,\x0d\x0a please go to <a id="_ctl0_HyperLink7" href="http://www.atchfire.site/statements/terms.aspx">http://www.atchfire.site/statements/terms.aspx</a>.<br /><br />\x0d\x0a\x0d\x0a Copyright © 2018, Corporation, All rights reserved.\x0d\x0a </div>\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a</html>
---ESG7C1mD---F--
HTTP/1.1 500
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Mon, 20 Aug 2018 07:50:54 GMT
Connection: close
Connection: close
Connection: close
Connection: close
Connection: close
X-AspNet-Version: 2.0.50727
X-AspNet-Version: 2.0.50727
X-AspNet-Version: 2.0.50727
X-AspNet-Version: 2.0.50727
X-AspNet-Version: 2.0.50727
X-AspNet-Version: 2.0.50727
Server: Microsoft-IIS/8.0
Expires: -1
Expires: -1
Expires: -1
Expires: -1
Expires: -1
Expires: -1
Content-Type: text/html
Content-Type: text/html
Content-Type: text/html
Content-Type: text/html
Content-Type: text/html
Content-Type: text/html
Pragma: no-cache
Pragma: no-cache
Pragma: no-cache
Pragma: no-cache
Pragma: no-cache
Pragma: no-cache
Cache-Control: no-cache
Cache-Control: no-cache
Cache-Control: no-cache
Cache-Control: no-cache
Cache-Control: no-cache
Cache-Control: no-cache
Transfer-Encoding: chunked
Transfer-Encoding: chunked
Transfer-Encoding: chunked
Transfer-Encoding: chunked
Transfer-Encoding: chunked
---ESG7C1mD---H--
---ESG7C1mD---I--
---ESG7C1mD---J--
---ESG7C1mD---Z--
You're running libModSecurity? Which version? If yes, you're using ModSecurity-apache connector?
Can you share your ModSecurity(.conf)/Apache configuration?
Yes i'm using libModSecurity v3.0.2 (Linux)
Connector : ModSecurity-Apache v0.1.1-beta
Below is the apache virtual host config
`
ServerName test.site
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LoadModule security3_module /home/ubuntu/ModSecurity-apache/src/.libs/mod_security3.so
<IfModule security3_module>
modsecurity_rules 'SecRuleEngine On'
modsecurity_rules 'SecRequestBodyAccess On'
modsecurity_rules 'SecResponseBodyAccess On'
#modsecurity_rules 'SecStreamOutBodyInspection On'
#modsecurity_rules 'SecStreamInBodyInspection On'
#modsecurity_rules 'SecContentInjection On'
modsecurity_rules_file "/home/ubuntu/include.conf"
modsecurity_rules 'SecDefaultAction "phase:1,log,auditlog,deny"'
modsecurity_rules 'SecDefaultAction "phase:2,log,auditlog,deny"'
modsecurity_rules 'SecRuleRemoveById 960017'
modsecurity_rules 'SecAuditLogFormat NATIVE'
</IfModule>
#SSLProxyEngine on
#SSLProxyVerify none
#SSLProxyCheckPeerCN off
#SSLProxyCheckPeerName off
#SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /waf-block.html !
ProxyPass /block.png !
ProxyPass / http://test.site/
ProxyPassReverse / http://test.site/
ErrorLog ${APACHE_LOG_DIR}/error_test.site.log
CustomLog ${APACHE_LOG_DIR}/access_test.site.log combined
#modsecurity_rules "SecAuditLog ${APACHE_LOG_DIR}/audit_test.site.log"
modsecurity_rules "SecAuditLogType HTTPS"
modsecurity_rules "SecAuditLog http://192.168.1.50/api/waf"
`
Included files
Include "/opt/ModSecurity/modsecurity.conf"
Include "/usr/share/modsecurity-crs/*.conf"
Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
Modsecurity Conf
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'2000000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecStatusEngine On
Any update on this issue?
I did the same setup in another server, but the issue is still there.
Even I faced similar issue before. Any update?
Hi,
I think this is not an issue. In your config i see:
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
Which means ModSecurity will log every http error start with 5 or 4 expect 404
The mentioned audit log has 500 http error, so this is why it had been logged.
There were no SecRule which had been triggered, this is why messages are empty.
(if I recall correctly messages only filled, if a rule trigger and it has msg action)
Hi,
I tried changing it as below to log only 403 messages.
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:403)"
But, I can still see 500 errors in the audit logs.
Hi All
Am using "connector":"ModSecurity-nginx v1.0.0" and am suffering from same issue.
I missed you are including owasp-crs too.
CRS has a SecRule which triggers on http 500 errors.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/RESPONSE-950-DATA-LEAKAGES.conf#L68
CRS is a very good ruleset. But you should never included every rule in it on every location on a production server.
For example:
If you have PHPMyAdmin: CRS-s sql injection rules will trigger on it.
If you have a blog site, and admins and users are allowed to HTML content, than almost every XSS protection rule will trigger.
You need to pick the right rules for the right use case.
Closing this one as it seemed like a configuration issue based on @LeeShan87 comments. Thanks!
It's really confusing to see logs with no messages. Default conf SecAuditLogRelevantStatus logs every 5xx request which doesn't matches any messages and the log became very large. If somebody cares about every 4xx/5xx request he can add a rule.
I comment out SecAuditLogRelevantStatus and then it will only log request that matches the rules.
SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
Most helpful comment
I missed you are including owasp-crs too.
CRS has a SecRule which triggers on http 500 errors.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/RESPONSE-950-DATA-LEAKAGES.conf#L68
CRS is a very good ruleset. But you should never included every rule in it on every location on a production server.
For example:
If you have PHPMyAdmin: CRS-s sql injection rules will trigger on it.
If you have a blog site, and admins and users are allowed to HTML content, than almost every XSS protection rule will trigger.
You need to pick the right rules for the right use case.