ARGS_POST not working

[cyberblackhole]

Hi,

I'm trying to block post requests as seen below. But its not blocking them. SecRequestBodyAccess is set to On.

SecRule ARGS|ARGS_POST:username "example" "id:12312,deny,phase:1,auditlog,msg:'Blocked Username example'"

Below is my example.conf file

<VirtualHost *:80>
        ServerAdmin admin@example.com
        ServerAlias www.example.com
        DocumentRoot /var/www/example.com/public_html
        ErrorLog ${APACHE_LOG_DIR}/errorexample.log
        CustomLog ${APACHE_LOG_DIR}/accessexample.log combined
        ProxyPreserveHost On
        ProxyRequests Off

        <IfModule security3_module>
                modsecurity_rules 'SecRuleEngine On'
                modsecurity_rules_file "/etc/apache2/modsecurity.d/include.conf"
                modsecurity_rules 'SecRequestBodyAccess On'
                modsecurity_rules 'SecResponseBodyAccess On'
                modsecurity_rules 'SecAuditLogFormat JSON'
                modsecurity_rules 'SecTmpSaveUploadedFiles On'
        </IfModule>

        ProxyPass / http://test.com:8080/
        ProxyPassReverse / http://test.com:8080/
        modsecurity_rules "SecAuditLog ${APACHE_LOG_DIR}/auditexample.log"
</VirtualHost>

Below is my modsecurity.conf file

SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "application/json" \
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecDataDir /tmp/
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127
SecStatusEngine On

Let me know what is wrong

[victorhora]

From your logs I understand that you're running libModSecurity with the ModSecurity-apache connector right?

If that's so, there's a known issue where the body is attached too late for processing. See owasp-modsecurity/ModSecurity-apache#37.

You might want to give it a try with pull request owasp-modsecurity/ModSecurity-apache#22. This should allow inspection on the body but it's still experimental.