Closed
Description
Describe the bug
it seems that the latest v3/master completely ignores the DetectionOnly SecRuleEngine configuration. When a rule match, I get always the default disruptive action even if SecRuleEngine is set to DetectionOnly… in the debug logs I can see the "deny" action
Logs and dumps
debug log
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932150) Executing operator "Rx" with param "[...cut...]" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash);" (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932160) Executing operator "PmFromFile" with param "unix-shell.data" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:urlDecodeUni: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:cmdLine: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:normalizePath: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:lowercase: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:urlDecodeUni: "exec(/bin/bash);"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:cmdLine: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:normalizePath: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9] T (0) t:lowercase: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash) " (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [7] Added pm match TX.0: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars updated.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:msg with value: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:rce_score with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:anomaly_score_pl1 with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:-OWASP_CRS/WEB_ATTACK/RCE-ARGS:a with value: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This rule severity is: 2 current transaction is: 2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving msg: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 1.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: log
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving transaction to logs
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: auditlog
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: status
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: application-multi
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: language-shell
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: platform-unix
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: attack-rce
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: WASCTC/WASC-31
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_TOP_10/A1
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: PCI/6.5.2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: block
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Marking request as disruptive.
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Running action deny
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: ctl
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Skipping this phase as this request was already intercepted.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Starting phase RESPONSE_HEADERS. (SecRules 3)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This phase consists of 70 rule(s).
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 950020) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.
for the same request:
...
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Not running disruptive action: pass. SecRuleEngine is not On.
...
don't know why for pass
it skip the disruptive action and for deny
not.
To Reproduce
- ModSecurity v3/master
- ModSecurity-nginx (latest)
- Nginx
- OWASP CRS 3.2/dev
- configure SecRuleEngine
DetectionOnly
- configure a default action to "deny"
trigger a rule:
curl 'http://localhost/?a=exec(/bin/bash);'
Expected behavior
it should just log without executing the disruptive action
ModSecurity configure output
ModSecurity - v3.0.3-4-gcbf2fe97 for Linux
Mandatory dependencies
+ libInjection ....v3.0.3-4-gcbf2fe97
+ SecLang tests ....cbf2fe97
Optional dependencies
+ GeoIP/MaxMind ....found
* (GeoIP) v1.6.12
-lGeoIP, -I/usr/include/
+ LibCURL ....found v7.58.0
-lcurl, -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
+ YAJL ....found v2.1.0
-lyajl, -DWITH_YAJL -I/usr/include/yajl
+ LMDB ....not found
+ LibXML2 ....found v2.9.4
-lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
+ SSDEEP ....not found
+ LUA ....not found
Other Options
+ Test Utilities ....enabled
+ SecDebugLog ....enabled
+ afl fuzzer ....disabled
+ library examples ....enabled
+ Building parser ....disabled
+ Treating pm operations as critical section ....disabled