Hello, ModSecurity has it's own custom logging format. This can be changed to JSON in ModSecurity 2.9 and greater. Generally though being able to understand the log typically involves looking at the message that is generated, and occasionally looking at the rule in question if this isn't enough. In this case you have two rules listed. The first rule, 920180, says that 'POST request missing Content-Length Header'. Generally this means that the Content-Length header, which typically specifies how much POST data is present was not provided. This can be triggered by using non-standard user-agents. All browsers known will provide this value as it is highly suggested by the RFC. This rule can be found here: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L292
The next rule you have highlighted is 920270. This indicates that a null byte was passed to a cookie. Null bytes are used in various attacks but are almost always avoided by legit applications. This rule can be found here: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L564 To see whole requests when a rule triggers you should enable the audit logging capability. For more details on this please see the following entry in the reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditEngine On Thu, Jul 27, 2017 at 7:16 AM, Пацев Антон <patsev.an...@gmail.com> wrote: > Hello! > Can some help about REQUEST-920-PROTOCOL-ENFORCEMENT.conf? > Used: modsecurity v3 from master, nginx 1.10.2, core rules from github > > crs-setup.conf: > SecDefaultAction "phase:1,log,auditlog,pass" > SecDefaultAction "phase:2,log,auditlog,pass" > SecAction \ > "id:900000,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:tx.paranoia_level=1" > SecAction \ > "id:900110,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:tx.inbound_anomaly_score_threshold=5,\ > setvar:tx.outbound_anomaly_score_threshold=4" > SecCollectionTimeout 600 > SecAction \ > "id:900990,\ > phase:1,\ > nolog,\ > pass,\ > t:none,\ > setvar:tx.crs_setup_version=302" > > > Log file have: > > ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against > variable `REQUEST_HEADERS:Content-Length' (Value: `0' ) [file > "/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "258"] > [id "920180"] [rev "1"] [msg "POST request missing Content-Length Header."] > [data "0"] [severity "4"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy > "9"] [tag "application-multi"] [tag "language-multi"] [tag > "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [ref > "o0,4v0,4"] > > ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter > `1-255' against variable `REQUEST_HEADERS:Cookie' (Value: > `JSESSIONID=XXXXXXXXXXXXXX; loggedin=true; hash=yyyyyyy; loggedUser=gggggg > (781 characters omitted)' ) [file > "/etc/nginx/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request > (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] > [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref > "o185,1o186,1o187,1o188,1o189,1o190,1o191,1o192,1o193,1o194, > 1o195,1o196,1o197,1o198,1o199,1o200,1o201,1o202,1o313,1o314, > 1o315,1o316,1o317,1o318,1o319,1o320,1o321,1o322,1o323,1o324, > 1o325,1o326,1o327,1o328,1o329,1o330,1o331,1o332,1o333,1o334, > 1o335,1o336,1o337,1o338,1o408,1o409,1o410,1o411,1o412,1o413, > 1v479,881t:urlDecodeUni"] > > How understend this is log? How Write request to log? > > > > -- > С уважением, Антон Пацев. > Best regards, Anton Patsev. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- -- Chaim Sanders http://www.ChaimSanders.com
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
