Re Paolo,
paolo.luis...@gmail.com (Paolo Luise) wrote:
> how is your SecRuleEngine directive configured?
For most of our vhosts, including this one, it is of course set to "On".
Otherwise mod_security would have logged a "Warning" ;-)
I'm really curious if I'm the only one experiencing this strange issue,
where modsec logs "I'm sending a 403", but Apache giving me a 500, and
I can see nowhere in any log, why this would happen...
HTH,
Elmar.
> If it's in DetectionOnly, as stated in the manual, in this way the WAF
> engine "process rules but never executes any disruptive actions (block,
> deny, drop, allow, proxy and redirect)"; rif.
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRuleEngine
>
> The rule you are speaking about contains the block (disruptive) action.
>
> Please return us your feedback.
>
> Regards
> Paolo Luise
>
>
>
> > Hello,
> >
> > We're running mod_security plus current CRS (3.0.0-4) as an Apache module
> > here.
> > I have set paranoia_mode to 2, so the rule in question (950100) fires, and
> > it
> > should translate all internal errors to 403s towards the outside.
> >
> > Now, some internal errors (500s) are NOT translated to 403s. :-(
> >
> > I wonder if anybody else has run into this problem and whether there is
> > a solution out there. Googling got me nowhere yet.
> >
> >
> > Obfuscated curl, result and log output is below.
> >
> > Thank you for any direction you could point me to,
> > Elmar.
> >
> >
> >
> > === Client View ===
> >
> > curl --insecure -X DELETE https://***** -H 'accept: application/json' -H
> > 'authorization: Basic *****' -H 'cache-control: no-cache' -H ...
> >
> > -->
> >
> > {"httpStatus":"500","message":"Internal Server
> > Error","requestURI":"https://*****"}
> >
> >
> > === Server View ===
> >
> > --b962e37c-A--
> > [15/May/2017:14:03:22 +0000] ************** 10.**.**.** 61134 10.**.**.**
> > 443
> > --b962e37c-B--
> > DELETE /***** HTTP/1.1
> > Host: *****
> > accept: application/json
> > authorization: Basic *****
> > cache-control: no-cache
> > content-type: application/json
> >
> > --b962e37c-F--
> > HTTP/1.1 403 Forbidden
> > Strict-Transport-Security: max-age=31536000; includeSubDomains
> > X-TrackingId: 8ab4dc14-fbd0-4ecd-a2e4-5697a67017dc
> > Vary: Accept-Encoding
> > Content-Type: application/json
> > Connection: close
> > Transfer-Encoding: chunked
> >
> > --b962e37c-E--
> >
> > --b962e37c-H--
> > Message: Access denied with code 403 (phase 4). Pattern match "^5\\d{2}$"
> > at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/
> > activated_rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "93"] [id
> > "950100"] [rev "3"] [msg "The Application Returned a 500-Level Status
> > Code"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"]
> > [severity "ERROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"]
> > [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"]
> > [tag "attack-disclosure"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"]
> > [tag "PCI/6.5.6"] [tag "paranoia-level/2"]
> > Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score.
> > [file
> > "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"]
> > [line "82"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 4):
> > The Application Returned a 500-Level Status Code"] [tag "event-correlation"]
> > Action: Intercepted (phase 4)
> > Apache-Handler: proxy-server
> > Stopwatch: 1494857002287297 207077 (- - -)
> > Stopwatch2: 1494857002287297 207077; combined=18441, p1=681, p2=14548,
> > p3=1891, p4=724, p5=597, sr=91, sw=0, l=0, gc=0
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/);
> > OWASP_CRS/3.0.0.
> > Server: Apache
> > WebApp-Info: "netverify" "-" "-"
> > Engine-Mode: "ENABLED"
> >
> > --b962e37c-Z--
> >
> >
> > ==> apache-request.log <==
> > 2017-05-15 14:03:22 UTC 10.**.**.** ***** - "DELETE ***** HTTP/1.1" 500
> > 168 "-" "*****" 1071 3634 207355 on WRm1KgoKGoMAAD-yLjgAAABU - *****
> > TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 false 128 128 NULL
> > 8ab4dc14-fbd0-4ecd-a2e4-5697a67017dc
> >
> > ==> apache-error.log <==
> > [Mon May 15 14:03:22 2017] [error] [client 10.**.**.**] ModSecurity:
> > Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at
> > RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/
> > activated_rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "93"] [id
> > "950100"] [rev "3"] [msg "The Application Returned a 500-Level Status
> > Code"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"]
> > [severity "ERROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"]
> > [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"]
> > [tag "attack-disclosure"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"]
> > [tag "PCI/6.5.6"] [tag "paranoia-level/2"] [hostname "*****"] [uri
> > "/*****"] [unique_id "WRm1KgoKGoMAAD-yLjgAAABU"]
> >
> > [Mon May 15 14:03:22 2017] [error] [client 10.**.**.**] ModSecurity:
> > Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file
> > "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"]
> > [line "82"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 4):
> > The Application Returned a 500-Level Status Code"] [tag
> > "event-correlation"] [hostname "*****"] [uri "/*****"] [unique_id
> > "WRm1KgoKGoMAAD-yLjgAAABU"]
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
