Modsecurity: SecRuleEngine ignore DetectionOnly

Created on 21 Nov 2018  ·  14Comments  ·  Source: SpiderLabs/ModSecurity

Describe the bug
it seems that the latest v3/master completely ignores the DetectionOnly SecRuleEngine configuration. When a rule match, I get always the default disruptive action even if SecRuleEngine is set to DetectionOnly… in the debug logs I can see the "deny" action

Logs and dumps
debug log

[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932150) Executing operator "Rx" with param "[...cut...]" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash);" (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932160) Executing operator "PmFromFile" with param "unix-shell.data" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:urlDecodeUni: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:cmdLine: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:normalizePath: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:lowercase: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:urlDecodeUni: "exec(/bin/bash);"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:cmdLine: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:normalizePath: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:lowercase: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash) " (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [7] Added pm match TX.0: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars updated.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:msg with value: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:rce_score with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:anomaly_score_pl1 with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:-OWASP_CRS/WEB_ATTACK/RCE-ARGS:a with value: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This rule severity is: 2 current transaction is: 2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving msg: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 1.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: log
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving transaction to logs
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: auditlog
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: status
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: application-multi
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: language-shell
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: platform-unix
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: attack-rce
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: WASCTC/WASC-31
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_TOP_10/A1
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: PCI/6.5.2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: block
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Marking request as disruptive.
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Running action deny
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: ctl
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Skipping this phase as this request was already intercepted.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Starting phase RESPONSE_HEADERS. (SecRules 3)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This phase consists of 70 rule(s).
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 950020) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.

for the same request:

...
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Not running disruptive action: pass. SecRuleEngine is not On.
...

don't know why for pass it skip the disruptive action and for deny not.

To Reproduce

  • ModSecurity v3/master
  • ModSecurity-nginx (latest)
  • Nginx
  • OWASP CRS 3.2/dev
  • configure SecRuleEngine DetectionOnly
  • configure a default action to "deny"

trigger a rule:
curl 'http://localhost/?a=exec(/bin/bash);'

Expected behavior
it should just log without executing the disruptive action

ModSecurity configure output
```
ModSecurity - v3.0.3-4-gcbf2fe97 for Linux

Mandatory dependencies

  • libInjection ....v3.0.3-4-gcbf2fe97
  • SecLang tests ....cbf2fe97

Optional dependencies

  • GeoIP/MaxMind ....found

    • (GeoIP) v1.6.12

      -lGeoIP, -I/usr/include/

  • LibCURL ....found v7.58.0
    -lcurl, -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
  • YAJL ....found v2.1.0
    -lyajl, -DWITH_YAJL -I/usr/include/yajl
  • LMDB ....not found
  • LibXML2 ....found v2.9.4
    -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
  • SSDEEP ....not found
  • LUA ....not found

Other Options

  • Test Utilities ....enabled
  • SecDebugLog ....enabled
  • afl fuzzer ....disabled
  • library examples ....enabled
  • Building parser ....disabled
  • Treating pm operations as critical section ....disabled
    ```
3.x bug

Most helpful comment

All 14 comments

  • ModSecurity 3.0.3 (tar) - comes from Debian as package
  • ModSecurity-nginx 1.0.0 (tar)
  • Nginx (Debian SID version)
  • the whole Nginx collection is here: https://salsa.debian.org/airween-guest/nginx/tree/modsecurity
  • OWASP CRS 3.1 (tar)
  • configure SecRuleEngine DetectionOnly
  • configure a default action to "deny" - sorry, I didn't found any info about this

in modsecurity.conf:

SecRuleEngine DetectionOnly

libmodsecurity configure:

ModSecurity -  for Linux

 Mandatory dependencies
   + libInjection                                  ....
   + SecLang tests                                 ....

 Optional dependencies
   + GeoIP/MaxMind                                 ....found 
      * (MaxMind) v1.3.2
         -lmaxminddb, -DWITH_MAXMIND -I/usr/include/x86_64-linux-gnu
      * (GeoIP) v1.6.12
         -lGeoIP, -I/usr/include/
   + LibCURL                                       ....found v7.62.0 
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl, -DWITH_YAJL -I/usr/include/yajl
   + LMDB                                          ....not found
   + LibXML2                                       ....found v2.9.4
      -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found 
      -lfuzzy -L/usr/lib/x86_64-linux-gnu/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v503
      -llua5.3 -L/usr/lib/x86_64-linux-gnu/, -DWITH_LUA -I/usr/include/lua5.3

 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled
curl 'http://localhost/?a=exec(/bin/bash);'



md5-2794a663f702b6683117153b05742af5



2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "481"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:a: exec(/bin/bash) "] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571483.914752"] [ref "o6,8v8,16t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate (2095 characters omitted)' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "300"] [id "933160"] [rev ""] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: exec(/bin/bash) found within ARGS:a: exec(/bin/bash);"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571483.914752"] [ref "o0,15v8,16"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571483.914752"] [ref ""], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "481"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:a: exec(/bin/bash) "] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o6,8v8,16t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate (2095 characters omitted)' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "300"] [id "933160"] [rev ""] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: exec(/bin/bash) found within ARGS:a: exec(/bin/bash);"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o0,15v8,16"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=5,HTTP=0,SESS=0): PHP Injection Attack: High-Risk PHP Function Call Found; individual paranoia level scores: 10, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""] while logging request, client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"



md5-b6743137d6ac46c76a8bc1e89f4dd14c



---8CP5TlcV---A--
[07/Jan/2019:21:15:14 +0000] 154689571415.050309 ::1 52110 0.0.0.0 80
---8CP5TlcV---B--
GET /?a=exec(/bin/bash); HTTP/1.1
Host: localhost
User-Agent: curl/7.62.0
Accept: */*

---8CP5TlcV---D--

---8CP5TlcV---E--
\x0a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ...
...
---8CP5TlcV---F--
HTTP/1.1 200
Server: nginx/1.14.2
Date: Mon, 07 Jan 2019 21:15:14 GMT
Content-Length: 10701
Content-Type: text/html
Last-Modified: Thu, 27 Dec 2018 23:16:57 GMT
Connection: keep-alive
ETag: "5c255d69-29cd"
Accept-Ranges: bytes

---8CP5TlcV---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "481"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:a: exec(/bin/bash) "] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o6,8v8,16t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate (2095 characters omitted)' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "300"] [id "933160"] [rev ""] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: exec(/bin/bash) found within ARGS:a: exec(/bin/bash);"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o0,15v8,16"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=5,HTTP=0,SESS=0): PHP Injection Attack: High-Risk PHP Function Call Found; individual paranoia level scores: 10, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""]

---8CP5TlcV---I--

@airween could you check if your modsecurity version is v3.0.3-4-gcbf2fe97 because before this commit it works fine for me.

configure a default action to "deny" - sorry, I didn't found any info about this

configure a default action with SecDefaultAction, as you can find on the OWASP CRS config crs-setup.conf, for example:

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

@theMiddleBlue I'll see that soon - I just prepared the packages for Debian, and catched the released versions from all components (libmodsecurity3, ModSecurity-nginx).

Could you help me with the link of this release? I didn't found gcbf2fe97 in git log. And the version number (3.0.3-4) is also interesting for me.

The SecDefaultAction is clear now - I searched it in modsecurity.conf, sorry :).

No problem, my first message was not very clear. At the time I'm writing, the version is v3.0.3-35-gcbf2fe97. I'm just compiling it with the latest modsecurity-nginx connector. I give you an update asap.

Ok, I confirm that the issue is still present with version v3.0.3-35-g3c1fba27. With the drop disruptive action, the "DetectionOnly" doesn't work as expected. Following my tests (both using SecRuleEngine DetectionOnly) that shows which rules are matched by the request curl -v 'http://localhost/?a=exec("/bin/bash");':

# using disruptive action: pass
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

with the pass action, it seems work as expected to be for DetectionOnly:

  • [932160] Remote Command Execution: Unix Shell Code Found
  • [933160] PHP Injection Attack: High-Risk PHP Function Call Found
  • [949110] Inbound Anomaly Score Exceeded (Total Score: 10)
  • [980130] Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=5,HTTP=0,SESS=0): PHP Injection Attack: High-Risk PHP Function Call Found; individual paranoia level scores: 10, 0, 0, 0
# using disruptive action: drop
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

with the drop action, modsecurity stop at the first rule match:

  • [932160] Remote Command Execution: Unix Shell Code Found

Thanks @airween

I did a test using your branch, and it seems working like a dream!

A possible solution:
https://github.com/airween/ModSecurity/tree/v3/issue-1960

This looks sane to me @airween and working here too. Thanks! :)

My initial concern was if the value of it->status is expected to be filled later on and it won't be if DetectionOnlyRuleEngine is set... Can you submit a pull request to trigger the tests on the buildbots too?

Another solution:
https://github.com/airween/ModSecurity/tree/v3/issue-1960-2

@airween I've just tested it and it seems works as expected!

thanks

Hi guys, any news on this? Is #2032 ok to be merged?

Hi,

This issue has been discussed on Slack channel a while ago, back on February 25th. Part of the conversation is here: https://gist.github.com/zimmerle/0b12878f563c023a4d2b93837fd4c774 [Full conversation is available on Slack]

One thing that I was explaining is that ModSecurity has different state machines, one particular machine state dictates the SecEngineState. Transactions between the different states follow logical rules. By having if/else on different parts of the code, may cause unexpected behavior. Either now or later, when a new feature will be added. That scenario could cause us problems that will be hard to debug. The semantics of the state machine needs to be clear enough for a developer to preventively spot an issue.

On #2032, we have:

if (transaction->getRuleEngineState() != RulesProperties::DetectionOnlyRuleEngine) {
  a->evaluate(rule, transaction, rm);
}

https://github.com/airween/ModSecurity/blob/e17f37404c20332060347b31c241b09b19bb2959/src/actions/block.cc#L40-L42

Here the check is being made on the block action itself. Not to mention that is just checking if the _RuleEngine_ is different from _DetectionOnlyRuleEngine_, which means that it is going to _bug_ when the engine is _Off_.

The patch solves a use case scenario, but not the general problem, therefore I am not merging. Instead, I am defining o third kind of action disruptivish :P that is an action that is not executed when the engine is different from RulesProperties::Enabled; That is the exact case of the block action. It is not disruptive by its own, so it is not disruptive. All that is _materialized_ in the code by adding this line, the second part is the fix for this issue.

https://github.com/SpiderLabs/ModSecurity/blob/50abc072c4534d6e5c01dca73233347b68d6eb22/src/rule.cc#L552

This can be and will be optimized. Not doing it now for smoothly merge within 3.1 experimental branch. Further, the naming disruptivish (or some more meaningful) will be on the code.

@airween I am keeping you on the list of the credits, given your contribution. Same for everybody on this discussion. Thank you, guys.

Please, let me know if there are any other issue or regression given the fix.

Something is wrong with the attached test case at Travis CI, eg:
https://travis-ci.org/SpiderLabs/ModSecurity/jobs/541176491#L2048

But can reproduce it as locally too.

Was this page helpful?
0 / 5 - 0 ratings