Skip to content

SecRuleEngine ignore DetectionOnly #1960

Closed
@theMiddleBlue

Description

@theMiddleBlue

Describe the bug
it seems that the latest v3/master completely ignores the DetectionOnly SecRuleEngine configuration. When a rule match, I get always the default disruptive action even if SecRuleEngine is set to DetectionOnly… in the debug logs I can see the "deny" action

Logs and dumps
debug log

[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932150) Executing operator "Rx" with param "[...cut...]" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash);" (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932160) Executing operator "PmFromFile" with param "unix-shell.data" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:urlDecodeUni: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:cmdLine: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:normalizePath: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:lowercase: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:urlDecodeUni: "exec(/bin/bash);"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:cmdLine: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:normalizePath: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:lowercase: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash) " (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [7] Added pm match TX.0: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars updated.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:msg with value: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:rce_score with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:anomaly_score_pl1 with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:-OWASP_CRS/WEB_ATTACK/RCE-ARGS:a with value: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This rule severity is: 2 current transaction is: 2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving msg: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 1.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: log
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving transaction to logs
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: auditlog
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: status
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: application-multi
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: language-shell
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: platform-unix
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: attack-rce
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: WASCTC/WASC-31
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_TOP_10/A1
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: PCI/6.5.2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: block
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Marking request as disruptive.
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Running action deny
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: ctl
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Skipping this phase as this request was already intercepted.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Starting phase RESPONSE_HEADERS. (SecRules 3)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This phase consists of 70 rule(s).
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 950020) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.

for the same request:

...
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Not running disruptive action: pass. SecRuleEngine is not On.
...

don't know why for pass it skip the disruptive action and for deny not.

To Reproduce

  • ModSecurity v3/master
  • ModSecurity-nginx (latest)
  • Nginx
  • OWASP CRS 3.2/dev
  • configure SecRuleEngine DetectionOnly
  • configure a default action to "deny"

trigger a rule:
curl 'http://localhost/?a=exec(/bin/bash);'

Expected behavior
it should just log without executing the disruptive action

ModSecurity configure output

ModSecurity - v3.0.3-4-gcbf2fe97 for Linux

Mandatory dependencies
  + libInjection                                  ....v3.0.3-4-gcbf2fe97
  + SecLang tests                                 ....cbf2fe97

Optional dependencies
  + GeoIP/MaxMind                                 ....found 
     * (GeoIP) v1.6.12
        -lGeoIP, -I/usr/include/
  + LibCURL                                       ....found v7.58.0 
     -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
  + YAJL                                          ....found v2.1.0
     -lyajl, -DWITH_YAJL -I/usr/include/yajl
  + LMDB                                          ....not found
  + LibXML2                                       ....found v2.9.4
     -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
  + SSDEEP                                        ....not found
  + LUA                                           ....not found

Other Options
  + Test Utilities                                ....enabled
  + SecDebugLog                                   ....enabled
  + afl fuzzer                                    ....disabled
  + library examples                              ....enabled
  + Building parser                               ....disabled
  + Treating pm operations as critical section    ....disabled

Metadata

Metadata

Labels

3.xRelated to ModSecurity version 3.xbugIt is a confirmed bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions