Hi Sudharshan,
it looks really odd. Can you show full debug log so we can see also
initialization of variables? Thank you.
azurit
Citát Sudharshan K S <
kssudhar...@gmail.com>:
> Hi team,
>
> I'm using CRS v3.3.2 with ModSecurity v2.9.3 and Apache v2.4.41.
>
> I've tried including CRS configuration and rules (i.e., Include
> /path/to/crs-setup.conf; Include /path/to/coreruleset/rules/*.conf) inside
> a vhost and it functions as expected.
>
> Now, I'm experimenting to include the CRS configuration and the rules
> inside a Location and If directives. I ran into a few issues related to the
> directives SecGeoLookupDB and SecComponentSignature as they don't support
> Location/If scopes. I've moved them to the global scope. After which when I
> run the *apache2ctl -t*, it doesn't report any errors and apache starts
> successfully. But, I see that the functionality is broken, and all the
> requests even the malformed ones pass through. Specifically, I observed
> that the variables related to anomaly scores(maybe others too) are not
> getting initialized.
>
> The following are the test cases,
> *Case 1:*
> *Case 2:*
> vhost -
example1.com
> --- for /path1/* - Use ruleset R1
> --- for /path2/* - Use ruleset R2
> *Note:* *Case 1 works as expected while in Case 2 the WAF functionality
> fails*.
>
> The following is the *apache* *configuration* snippet for Case 2
> ```
>
>
>
>
>
>
>
>
>
>
>
>
> *<Location "/path1/"> Include
> /path/to/R1/coreruleset/crs-setup.conf Include
> /path/to/R1/coreruleset/coreruleset/rules/*.conf ProxyPass
>
http://localhost:8000/ <
http://localhost:8000/> ProxyPassReverse
>
http://localhost:8000/ <
http://localhost:8000/></Location><Location
> "/path2/"> Include /path/to/R2/coreruleset/crs-setup.conf
> Include /path/to/R2/coreruleset/coreruleset/rules/*.conf
> ProxyPass
http://localhost:8001/ <
http://localhost:8001/>
> ProxyPassReverse
http://localhost:8001/
> <
http://localhost:8001/></Location>*
> ```
>
> *Logs for Case 2:*
> To test Case 2, the apache configuration was set up as shown above. The
> allowed method was set to POST in the R1 CRS ruleset. A GET request was
> sent which should've ideally been blocked by Modsec. The error logs are
> written stating that the request method is not allowed but the response was
> sent back with a 200 status code instead of 403. The Rule engine was in the
> block mode (On) throughout.
>
> Here are the logs. Please notice that the Anamoly score is empty.
>
> *Error Logs*
> ```
> *
example1.com <
http://example1.com/> [2024-03-05 15:40:01.239039]
> [-:error]
127.0.0.1:54860
> <
http://127.0.0.1:54860/> Zebveaqkyd1jeHzTAI5-jgAAABY [client 127.0.0.1]
> ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against
> "REQUEST_METHOD" required. [file
> "/path/to/R1/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line
> "43"] [id "911100"] [msg "Method is not allowed by policy. Anamoly score =
> "] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag
> "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "
example1.com
> <
http://example1.com/>"] [uri "/path1/"] [unique_id
> "Zebveaqkyd1jeHzTAI5-jgAAABY"]*
> ```
>
> *Debug logs*
> ```
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *<...snip...>[01/Mar/2024:13:03:56 +0530]
> [
example1.com/sid#7f53a23373b8][rid#7f53a7b4b0a0][/path1/][4
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][4>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][5>]
> Rule 7f53a4003198: SecRule "REQUEST_METHOD" "!@within
> %{tx.allowed_methods}" "phase:2,log,auditlog,id:911100,block,msg:'Method is
> not allowed by
> policy',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-generic,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/210/272/220/274,tag:PCI/12.1,ver:OWASP_CRS/3.3.2,severity:CRITICAL,setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"[01/Mar/2024:13:03:56
> +0530] [
example1.com/sid#7f53a23373b8][rid#7f53a7b4b0a0][/path1/][4
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][4>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][4>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][9>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][4>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][9>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][9>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][9>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][9>] Set
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][9>]
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][2>]
> Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD"
> required. [file
> "/path/to/R1/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line
> "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"]
> [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"]
> [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag
> "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"]
> [tag "PCI/12.1"][01/Mar/2024:13:03:56 +0530]
> [
example1.com/sid#7f53a23373b8][rid#7f53a7b4b0a0][/path1/][4
> <
http://example1.com/sid#7f53a23373b8][rid%237f53a7b4b0a0][/path1/][4>]
> Rule returned 1.<...snip...>*
> ```
> I also noticed that the variable *tx.critical_anomaly_score* is not getting
> initialized at all.
>
> Please let me know what I'm missing here.
>
> Thanks in advance.
>
> Regards
> Sudharshan K S
>
> --
> You received this message because you are subscribed to the Google
> Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
>
modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit
>
https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAKtqziMPdOTatHGdv2M0OpRQMuB%3DS-6Ydm9AAjJYnokhKivnQQ%40mail.gmail.com.