堆栈内存溢出
  简体   繁体   English

为什么带有 OWASP-CRS 的 NGINX 不能正确记录警报?

[英]Why NGINX with OWASP-CRS do not log alerts properly?

 原文  2020-02-04 16:18:28       nginx/ owasp/ mod-security

问题描述

I have problem with logging alerts from OWASP-CRS.我在记录来自 OWASP-CRS 的警报时遇到问题。 For example, I make request:例如,我提出请求:

https://host?exec=bin/bash

Mod security blocked this request properly, but in error logs i have just one alert: Mod security 正确阻止了此请求,但在错误日志中我只有一个警报:

2020/02/04 16:51:34 [error] x#x: *x [client xxxx] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `4' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxxx"] [uri "/"] [unique_id "8bbf3c25ee6f151f5fc09df9f11492db"] [ref ""], client: xxxx, server: localhost, request: "GET ?exec=bin/bash HTTP/1.1", host: "host"

When I switch from Anomaly Mode to Self-Contained mode I have more detailed alert:当我从异常模式切换到独立模式时,我有更详细的警报:

2020/02/04 16:52:38 [error] xxx#xxx: *xxx [client xxxx] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `bin/bash' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "xxxx"] [uri "/"] [unique_id "401e59ce6bfbc7e6b2b98bcd65bfd64e"] [ref "o0,8v20,8t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"], client: xxx, server: localhost, request: "GET /?exec=bin/bash HTTP/1.1", host: "host"

Why when Anomaly Mode is selected, I have no alert like above?为什么选择异常模式时,我没有像上面那样的警报?

nginx: 1.16.1 owasp-crs: 3.2.0 nginx-connector: 1.1.0 nginx: 1.16.1 owasp-crs: 3.2.0 nginx-connector: 1.1.0

1 个解决方案

解决方案1
 0  2020-09-02 10:26:39

the reason is that audit logging is broken in the 1.1.0 connector for any disruptive action.原因是审计日志在 1.1.0 连接器中因任何破坏性操作而被破坏。 A fix ( https://github.com/SpiderLabs/ModSecurity-nginx/pull/175 ) is still yet to be released.修复程序( https://github.com/SpiderLabs/ModSecurity-nginx/pull/175 )仍未发布。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用NGINX的WAF owasp modsecurity crs中“尚不支持SecCollectionTimeout” - “SecCollectionTimeout is not yet supported” in WAF owasp modsecurity crs with NGINX owasp-modsecurity-crs已检测到但未拒绝该请求 - owasp-modsecurity-crs detected but not deny the request 如何在Logstash中正确使用Nginx自定义日志 - How to use nginx custom log with logstash properly 如何防止 owasp/modsecurity Docker 容器覆盖我的 nginx.conf - How do I prevent owasp/modsecurity Docker container from overwriting my nginx.conf nginx:为什么没有重定向位置的访问日志 - nginx: why no access log for rediect location 为什么 nginx access.log 失败? - Why is nginx access.log failing? 如果Nginx错误日志中有可疑条目,该怎么办 - What to do if there are suspicious entries in nginx error log 如何按日期分割Nginx error.log? - How do i can split nginx error.log by date? Chef为什么不能正确地重新加载我的Nginx和Tomcat文件? - Why isn't Chef reloading my Nginx & Tomcat file properly? 删除NGINX日志后,如何重新启动日志记录? - How do you restart logging after deleting an NGINX log?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM