Greetings,
In trying to track down an issue today, I happened to notice a huge log file in /usr/local/apache/logs: the modsec_audit.log file.
In it, I see that I am getting messages like this for *every* request:
Message: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1010"] [id "920430"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"]
Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "43"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"]
Message: Warning. Found 2 byte(s) in REQUEST_HEADERS:From outside range: 32,34,38,42-59,61,65-90,95,97-122. [file "/usr/local/apache/modsecurity-owasp-latest/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1522"] [id "920274"] [msg "Invalid character in request headers (outside of very strict set)"] [data "REQUEST_HEADERS:From=bingbot(at)microsoft.com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "paranoia-level/4"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
The first warning comes from the last line of this section:
# Restrict protocol versions.
#
SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
"id:920430,\
phase:1,\
block,\
t:none,\
msg:'HTTP protocol version is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
The second warning comes from the last line of a similarly-formatted section:
# -=[ Allowed Request Methods ]=-
#
# tx.allowed_methods is defined in the crs-setup.conf file
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
"id:911100,\
phase:2,\
block,\
msg:'Method is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
How do I fix this so that I don't have huge
The time/date stamp on these looks to be from the original install, 10 months ago.
Also, it appears that these log files start around the beginning of April. I don't see any rotating going on.
OS is Oracle Linux 8. Thank you!
Bob
Topic: modsec_audit.log warnings (Read 1609 times)
