#StackBounty: #nginx #waf #debian #mod-security Why is my SecAction rule being ignored?

Bounty: 50

I’m trying to configure a
SecAction rule to help me tune ModSecurity 3 following this How to tune your WAF installation to reduce false positives tutorial, but the rule seems to be ignored and the msg is not printed either on access.log or error.log.

SecAction 
    "id:980145,
    phase:5,
    pass,
    t:none,
    log,
    noauditlog,
    msg:'Incoming Anomaly Score: %{TX.ANOMALY_SCORE}'"

I tried messing with the CRS rules just to see if I could change an existing rule and the changes where effective printing a different message than the original on the error.log, but the rule above is ignored. I think the place is so obvious it’s not even mentioned on the tutorial, but I’m a newbie.

Checking the Debug Log level 9 I could see the following:

grep 980145 /var/log/modsec_debug.log

[1630420852] [/image/top.jpg] [4] (Rule: 980145) Executing unconditional rule...
[1630420852] [/image/top.jpg] [4] (Rule: 980145) Executing unconditional rule...

But if I grep the error log for the 980145 id, nothing is printed there.

Server:

  • nginx 1.20.1
  • modsecurity 3
  • owasp-modsecurity-crs 3.0.0

What is the appropriate .conf file and place I should include this rule so that it’s not ignored by ModSecurity when processing the rules?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.