[Owasp-modsecurity-core-rule-set] No rule-id in audit/error log with Nginx und MS3/CRS3
christian.folini at netnea.com
Thu Nov 24 15:59:36 UTC 2016
On Thu, Nov 24, 2016 at 04:41:49PM +0100, Muenz, Michael wrote:
> Did you reply to the list or PN? :)
Maybe I made a mistake. The idea was to respond via the list.
Doing that now.
> I'm not quite sure if it's nginx itself, I'm a bit new to it.
> This is the auditlog:
> [24/Nov/2016:16:39:45 +0100] 148000198565.715452 XXX
> GET /?s=../../../../etc/passwd HTTP/1.1
> REQUEST_HEADERS:Host: XXX
> REQUEST_HEADERS:Connection: keep-alive
> REQUEST_HEADERS:Upgrade-Insecure-Requests: 1
> REQUEST_HEADERS:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64;
> x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99
> REQUEST_HEADERS:Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> REQUEST_HEADERS:Accept-Encoding: gzip, deflate, sdch
> RESPONSE_HEADERS:Server: nginx/1.11.5
> RESPONSE_HEADERS:Date: Thu, 24 Nov 2016 15:39:45 GMT
> RESPONSE_HEADERS:Content-Length: 571
> RESPONSE_HEADERS:Content-Type: text/html
> RESPONSE_HEADERS:Connection: keep-alive
The interesting bit, the H part is empty.
That is very odd. What is your SecAuditLogParts setting?
Maybe you remove it for a test so it reverts to the default which should
bring you the H audit log part.
No man is more unhappy than he who never faces adversity.
For he is not permitted to prove himself.
More information about the Owasp-modsecurity-core-rule-set