[Owasp-modsecurity-core-rule-set] No rule-id in audit/error log with Nginx und MS3/CRS3

Christian Folini christian.folini at netnea.com
Thu Nov 24 16:37:54 UTC 2016


On Thu, Nov 24, 2016 at 05:02:43PM +0100, Muenz, Michael wrote:
> SecAuditLogParts ABIJDEFHZ

It's a little known detail that Audit Log Parts need to be set
in alphabetic order. But I do not think this is the problem here.

For me, this sounds like a ModSec/NginX bug - unless you have some other
base config which tweaks the audit log in the said fashion. But I
do not see how you could.

So to me, this is not a CRS problem, but a ModSec on NginX problem.

Next step would be to remove the complete CRS and then copy
the said rule into the remaining config. And then you change
the rule action form pass to deny and give it another shot.

> What I changed in crs-setup.conf was:
> 
> SecDefaultAction "phase:1,log,auditlog,deny,status:403"
> SecDefaultAction "phase:2,log,auditlog,deny,status:403"
> 
> ... instead of the default.

That is perfectly OK configurationwise (outside of the fact that
anomaly scoring mode is the default for a good reason. Unless you
have thought about this a lot and you really know what you are
doing, I suggest you stay in anomaly scoring mode).

Ahoj,

Christian


-- 
You don't have to be great to start, but you have to 
start to be great. 
-- Zig Ziglar


More information about the Owasp-modsecurity-core-rule-set mailing list