Description
We have Nginx(1.22.1) + ModSecurity-nginx(1.0.3) + ModSecurity(3090100) + OWASP_CRS(3.3.4). And the Rule that works on the contents of the file.
Configuration contain SecAuditLogParts ABIJDEFHZ and SecAuditLogFormat JSON.
Rule:
SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])" \ "id:921110,\ phase:2,\ block,\ capture,\ t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ msg:'HTTP Request Smuggling Attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ ctl:auditLogParts=+E,\ ver:'OWASP_CRS/3.3.4',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
If we send a large file, JSON AuditLog contain full request body in transaction.messages.details.data.
If change the log to a native, then the data field is automatically trimmed and becomes short.
We expect to get the same short log in the Json format as in the Native. Otherwise it takes up a lot of space and we can't send it to SIEM or database(via Vector) without transforms.
Is there any way to bypass this and force MATCHED_VAR to be trimmed for the data field for Json the same as for Native? or some alternative for SecAuditLogParts I to exclude files from message?
Screenshot part of Json Log
Full Native Log
---flqU0CRG---A--
[11/Jul/2023:10:35:31 +0000] 168907173111.651220 xxx.xxx.xxx.xxx 53019 xxx.xxx.xxx.xxx 80
---flqU0CRG---B--
POST / HTTP/1.1
Accept: */*
Accept-Language: ru-RU,ru;q=0.9
Content-Length: 2600222
Host: test.com
User-Agent: PostmanRuntime/7.32.3
Postman-Token: 0be4a82e-1059-47f5-a5ce-5f9fb21a2121
Cache-Control: no-cache
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=--------------------------131585514483542585006929
---flqU0CRG---D--
---flqU0CRG---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a
---flqU0CRG---F--
HTTP/1.1 403
Strict-Transport-Security: max-age=31536000; includeSubDomains
mime.types:
Date: Tue, 11 Jul 2023 10:35:31 GMT
X-XSS-Protection: 1; mode=block
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: text/html
Content-Length: 146
include:
Server:
Server:
Content-Security-Policy: frame-ancestors 'self'
---flqU0CRG---H--
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])' against variable `REQUEST_BODY' (Value: `----------------------------131585514483542585006929\x0d\x0aContent-Disposition: form-data; name=""; (3200152 characters omitted)' ) [file "/etc/nginx/conf/modsecurity/rules/OWASP_3.3.4/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "34"] [id "921110"] [rev ""] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: get dg==\x0d found within REQUEST_BODY: ----------------------------131585514483542585006929\x0d\x0acontent-disposition: form-data; name=\x22\x22; filename=\x2210320000001.bson\x22\x0d\x0acontent-type: application (2600073 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/33"] [hostname "xxx.xxx.xxx.xxx"] [uri "/"] [unique_id "168907173111.651220"] [ref "o749684,9v364,2600222t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"]
---flqU0CRG---I--
---flqU0CRG---J--
---flqU0CRG---Z--