Hello everybody,
I'm currently setting up modsecurity-crs in a kubernetes environment.
I'm currently using the docker image modsecurity-crs:3.3-nginx on our development version with paranoya level 1 and the following settings :
SecRuleEngine DetectionOnly
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABCDEFGHIJKZ # log all parts
SecAuditLogType HTTPS # logger https
SecAuditLog http://x.x.x.x:x# URL logstash
my crs-setup.conf is like this
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
SecAction "id:900200,phase:1,nolog,pass,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PATCH DELETE'"
SecAction "id:900230,phase:1,nolog,pass,t:none,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
SecCollectionTimeout 600
This configuration works well, I receive the logs of false positives in my ELK without blocking requests.
If I contact you it's on two points that I can't get it to work:1-activate the blocking in Anomaly scoring mode while keeping the logs in the ELK.
2-block with HTTP status 412 instead of 403
1-In the current configuration when I modify SecRuleEngine DetectionOnly to SecRuleEngine On, the blocking becomes effective and bad requests fall in 403, but I have no more log transmitted to my ELK and if I try to log with these parameters
SecAuditLogType Serial
SecAuditLogFormat JSON
SecAuditLog /var/log/modsec_audit.log
it's the same the file is never fed and remains empty.
Have you ever encountered this problem? Is it a configuration error?
2-For the second point where I wish to block by falling in 412 I modify the file RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf that I deposit in directory rules with the following configuration :
SecRuleUpdateActionById 949110 "t:none,deny,log,auditlog,status:412"
SecRuleUpdateActionById 959100 "t:none,deny,log,auditlog,status:412"
Queries seem to be correctly blocked with a 412 status, but since I don't have a log, I can't check on I'm still in Anomaly Scoring mode.
Is this the right way to change the failure status for all requests blocked by ModSecurity-CRS?
I hope I'm in the right place to ask my questions
Thank you in advance for the people who will take the time to read me
Have a nice day.
Johan
Translated with
www.DeepL.com/Translator (free version)