Skip to content

Problem of "Rule action" at Phase H #1592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
edward-02020 opened this issue Oct 17, 2017 · 7 comments
Closed

Problem of "Rule action" at Phase H #1592

edward-02020 opened this issue Oct 17, 2017 · 7 comments
Assignees
@zimmerle
Milestone
v3.0.0 feature co...

Comments

@edward-02020
Copy link

Hi ~

I have compiled libmodsecurity v3, when requests were blocked with SecRuleEngine On.

---w26BhY4m---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/data/webserver/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "17"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: host found within ARGS:sdfsdf: 1' or '1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [ref "v711,8t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:removeComments"]

The rule action is "Warning". but I guess it should be "Access denied with code"?
Reference resources in waf-fle:

$ActionStatus[0]  = "Access denied with connection close"; // action: Drop
$ActionStatus[1]  = "Access denied with code";  // action: Deny
$ActionStatus[2]  = "Access denied with redirection"; // action: Redirect
$ActionStatus[3]  = "Access denied using proxy to"; // action: Proxy
$ActionStatus[10] = "Access allowed";  // action: Allow
$ActionStatus[11] = "Access to phase allowed";
$ActionStatus[12] = "Access to request allowed";
$ActionStatus[13]  = "Paused Access"; // action: Pause
$ActionStatus[14]  = "Pausing transaction for"; // action: Pause
$ActionStatus[20] = "Warning";  // action: Pass or Detection Only
@edward-02020 edward-02020 changed the title Rule action problem Problem of "Rule action" at Phase H Oct 17, 2017
@edward-02020
Copy link
Author

edward-02020 commented Oct 17, 2017
edited
Loading

And when set SecAuditEngine On ,All requests seem to have been warned at Phase H. But that's not the case.

@zimmerle zimmerle self-assigned this Oct 17, 2017
@zimmerle
Copy link
Contributor

Hi @nobodysz,

What is your SecDefaultAction status for this phase? Notice that this specific rule may not got the request blocked, instead it may increased the anomaly_score.

@zimmerle zimmerle reopened this Oct 17, 2017
@zimmerle zimmerle added this to the v3.0.0 feature complete milestone Oct 17, 2017
@edward-02020
Copy link
Author

Hi @zimmerle ,
This is my SecDefaultAction conf:

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
 SecDefaultAction "phase:2,log,auditlog,deny,status:403"

zimmerle pushed a commit that referenced this issue Oct 17, 2017
Having disruptive msgs as disruptive [instead of warnings] on audit log
39fb75c 
Issue #1592
@zimmerle
Copy link
Contributor

As of 39fb75c this issue is partially solved. Notice that the error code is not yet filled. Working on it ...

@edward-02020
Copy link
Author

edward-02020 commented Oct 18, 2017
edited
Loading

@zimmerle thank you about your reply.
Now I update to 39fb75c , The Phase H with non malicious request is blank.
But I can't understand why the action is Warning ,not Access denied with code when malicious requests are blocked with code 403?

@zimmerle
Copy link
Contributor

As of 34e8b14 the behavior is the same [or very close] as ModSec 2.x on Apache.

@edward-02020
Copy link
Author

@zimmerle Thanks for fix it. I upgraded my version and it's normal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
None yet
Projects
None yet
Milestone
v3.0.0 feature complete
Development

No branches or pull requests
2 participants
@zimmerle @edward-02020