Re: [Owasp-modsecurity-core-rule-set] No rule-id in audit/error log with Nginx und MS3/CRS3
Glad that's solved. Thanks for the update! Christian On Fri, Nov 25, 2016 at 11:21:04AM +0100, Muenz, Michael wrote: > Am 24.11.2016 um 17:37 schrieb Christian Folini: > >On Thu, Nov 24, 2016 at 05:02:43PM +0100, Muenz, Michael wrote: > >>SecAuditLogParts ABIJDEFHZ > >It's a little known detail that Audit Log Parts need to be set > >in alphabetic order. But I do not think this is the problem here. > > > >For me, this sounds like a ModSec/NginX bug - unless you have some other > >base config which tweaks the audit log in the said fashion. But I > >do not see how you could. > > > >So to me, this is not a CRS problem, but a ModSec on NginX problem. > > > > LogParts is the default from modsecurity.conf. > Yesterday Nginx updated their guide for the current version, now > everything gets logged. > It's a bug/change in the MS-Nginx connector where everything is > logged with info severity. > > Thanks, > Michael > ___ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] No rule-id in audit/error log with Nginx und MS3/CRS3
On Thu, Nov 24, 2016 at 05:02:43PM +0100, Muenz, Michael wrote: > SecAuditLogParts ABIJDEFHZ It's a little known detail that Audit Log Parts need to be set in alphabetic order. But I do not think this is the problem here. For me, this sounds like a ModSec/NginX bug - unless you have some other base config which tweaks the audit log in the said fashion. But I do not see how you could. So to me, this is not a CRS problem, but a ModSec on NginX problem. Next step would be to remove the complete CRS and then copy the said rule into the remaining config. And then you change the rule action form pass to deny and give it another shot. > What I changed in crs-setup.conf was: > > SecDefaultAction "phase:1,log,auditlog,deny,status:403" > SecDefaultAction "phase:2,log,auditlog,deny,status:403" > > ... instead of the default. That is perfectly OK configurationwise (outside of the fact that anomaly scoring mode is the default for a good reason. Unless you have thought about this a lot and you really know what you are doing, I suggest you stay in anomaly scoring mode). Ahoj, Christian -- You don't have to be great to start, but you have to start to be great. -- Zig Ziglar ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] No rule-id in audit/error log with Nginx und MS3/CRS3
Am 24.11.2016 um 16:59 schrieb Christian Folini: The interesting bit, the H part is empty. That is very odd. What is your SecAuditLogParts setting? Maybe you remove it for a test so it reverts to the default which should bring you the H audit log part. Ahoj, Christian SecAuditLogParts ABIJDEFHZ What I changed in crs-setup.conf was: SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403" ... instead of the default. Thanks, Michael ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set