Hi
I’ve set up my Nginx with ModSecurity and it is working well. Attacks detected are logged to Nginx’s error log, but is seems (according to cscli explain) that those entries are not recognized by the modsecurity parser.
In the collection is a statement saying that the modsecurity collection has not been tested with nginx so far…
This is one of the log entries I would expect to be recognized by the parser, but isn’t:
2022/03/20 09:52:40 [error] 23#23: *1220 [client fd42:0:0:41::21a] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.0.2.100"] [uri "/"] [unique_id "1647769960"] [ref ""], client: fd42:0:0:41::21a, server: , request: "GET / HTTP/1.1", host: "xxx.yyyy.ch"
Can someone help or point me to the right direction?
Ok, seems as if the parser works, but the szenario is not triggering a notification to lapi.
Need to look deeper.
Question: the nginx and modsecurity share the error.log, but access.log is only used by nginx.
So how do I define acquis.yaml?
filenames:
- /var/log/nginx/*.log
labels:
type: nginx modsecurity
or
filenames:
- /var/log/nginx/*.log
labels:
type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
type: modsecurity
or
filenames:
- /var/log/nginx/access.log
labels:
type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
type: nginx modsecurity
Hello @ne20002 ,
It is not really optimal, but currently the only way to make this work is to have this in your acquis.yaml file:
filenames:
- /var/log/nginx/*.log
labels:
type: nginx
----
filenames:
- /var/log/nginx/error.log
labels:
type: modsecurity
Hi,
Are those settings still valid almost 1.5 years later?
Is there a better way to get ModSecurity and CS coomunicate?
Thanks…
iiAmLoz
October 23, 2023, 11:15am
6
Yes they are valid, and since modsecurity only logs to error logs that is the only valid configuration
Thank you Loz…
I’ve setup the above mentioned file, acquis.yaml, as explained. What else should I need to do because seems like CS is not pulling the guns. Thanks…
Then best to open a new ticket, outlining what issues you are facing as OP of this has already had a resolution