Modsecurity response rules not working! - response body won't process! #311

nimafia · 2018-10-20T12:47:05Z

Hello
I'm using lua-resty-waf with latest modsecurity crs rules only. But recently I realized that my response rules not working at all! It seems response body won't process! I tested this in reverse proxy mode. The rule exist but doesn't work. Can you please help me on this? Is it a source code issue?
nginx.conf :

init_by_lua_block {
        local lua_resty_waf = require "resty.waf"

        -- this translates and calculates a ruleset called 'ruleset_name'
        local ok, errs = pcall(function()
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/modsecurity.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-914-FILE-DETECTION.conf")
            --lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf")
            lua_resty_waf.load_secrules("/opt/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf")
        end)

        -- errs is an array-like table
        if errs then
            for i = 1, #errs do
                ngx.log(ngx.ERR, errs[i])
            end
        end
        
         -- perform some preloading and optimization
         -- lua_resty_waf.init()
    }

server.conf :

server {
        listen       192.168.250.28:80;
        server_name  dvwa.com;
		
        location / {
            access_by_lua_block {
                local deny_override = function(waf, ctx)
                  ngx.log(ngx.INFO, "Overriding DENY action")
                  ngx.status = ngx.HTTP_FORBIDDEN
                  ngx.redirect("/error.html")
                end

                local lua_resty_waf = require "resty.waf"

                local waf = lua_resty_waf:new()

                waf:set_option("info", "true")
                waf:set_option("mode", "ACTIVE")
                waf:set_option("hook_action", "DENY", deny_override)

                waf:set_option("add_ruleset", "REQUEST-901-INITIALIZATION.conf")
                waf:set_option("add_ruleset", "modsecurity.conf")
                waf:set_option("add_ruleset", "REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf")
                waf:set_option("add_ruleset", "REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf")
                waf:set_option("add_ruleset", "REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf")
                waf:set_option("add_ruleset", "REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf")
                waf:set_option("add_ruleset", "REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf")
                waf:set_option("add_ruleset", "REQUEST-905-COMMON-EXCEPTIONS.conf")
                waf:set_option("add_ruleset", "REQUEST-910-IP-REPUTATION.conf")
                waf:set_option("add_ruleset", "REQUEST-911-METHOD-ENFORCEMENT.conf")
                waf:set_option("add_ruleset", "REQUEST-912-DOS-PROTECTION.conf")
                waf:set_option("add_ruleset", "REQUEST-913-SCANNER-DETECTION.conf")
                waf:set_option("add_ruleset", "REQUEST-914-FILE-DETECTION.conf")
                --waf:set_option("add_ruleset", "REQUEST-920-PROTOCOL-ENFORCEMENT.conf")
                waf:set_option("add_ruleset", "REQUEST-921-PROTOCOL-ATTACK.conf")
                waf:set_option("add_ruleset", "REQUEST-930-APPLICATION-ATTACK-LFI.conf")
                waf:set_option("add_ruleset", "REQUEST-931-APPLICATION-ATTACK-RFI.conf")
                waf:set_option("add_ruleset", "REQUEST-932-APPLICATION-ATTACK-RCE.conf")
                waf:set_option("add_ruleset", "REQUEST-933-APPLICATION-ATTACK-PHP.conf")
                waf:set_option("add_ruleset", "REQUEST-941-APPLICATION-ATTACK-XSS.conf")
                waf:set_option("add_ruleset", "REQUEST-942-APPLICATION-ATTACK-SQLI.conf")
                waf:set_option("add_ruleset", "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf")
                waf:set_option("add_ruleset", "REQUEST-944-APPLICATION-ATTACK-JAVA.conf")
                waf:set_option("add_ruleset", "REQUEST-949-BLOCKING-EVALUATION.conf")
                waf:set_option("add_ruleset", "RESPONSE-950-DATA-LEAKAGES.conf")
                waf:set_option("add_ruleset", "RESPONSE-951-DATA-LEAKAGES-SQL.conf")
                waf:set_option("add_ruleset", "RESPONSE-952-DATA-LEAKAGES-JAVA.conf")
                waf:set_option("add_ruleset", "RESPONSE-953-DATA-LEAKAGES-PHP.conf")
                waf:set_option("add_ruleset", "RESPONSE-954-DATA-LEAKAGES-IIS.conf")
                waf:set_option("add_ruleset", "RESPONSE-959-BLOCKING-EVALUATION.conf")
                waf:set_option("add_ruleset", "RESPONSE-980-CORRELATION.conf")

                waf:set_option("ignore_ruleset", "11000_whitelist")
                waf:set_option("ignore_ruleset", "20000_http_violation")
                waf:set_option("ignore_ruleset", "21000_http_anomaly")
                waf:set_option("ignore_ruleset", "35000_user_agent")
                waf:set_option("ignore_ruleset", "40000_generic_attack")
                waf:set_option("ignore_ruleset", "41000_sqli")
                waf:set_option("ignore_ruleset", "42000_xss")
                waf:set_option("ignore_ruleset", "90000_custom")
                waf:set_option("ignore_ruleset", "99000_scoring")
                
                waf:set_option("event_log_ngx_vars", "host")
                waf:set_option("event_log_ngx_vars", "request_id")
                waf:set_option("event_log_ngx_vars", "server_port")
                waf:set_option("event_log_request_arguments", true)
                waf:set_option("event_log_periodic_flush", 30)
                waf:set_option("allow_unknown_content_types", true)
                waf:set_option("event_log_target", "file")
                waf:set_option("event_log_target_path", "/var/log/anpwaf/eve.log")
                waf:set_option("process_multipart_body", true)
                waf:set_option("res_body_max_size", 1024 * 1024 * 2)
                waf:set_option("req_tid_header", false)
                waf:set_option("res_tid_header", false)
                waf:set_option("res_body_mime_types", { "text/plain", "text/html", "text/json", "application/json", "text/php", "text/plain", "text/x-php", "application/php", "application/x-php", "application/x-httpd-php", "application/x-httpd-php-source" })
                waf:exec()
            }
            
header_filter_by_lua_block {
                local lua_resty_waf = require "resty.waf"

                local waf = lua_resty_waf:new()


                waf:exec()
            }

body_filter_by_lua_block {
                local lua_resty_waf = require "resty.waf"

                local waf = lua_resty_waf:new()

                waf:exec()
            }

content_by_lua_block {
                local lua_resty_waf = require "resty.waf"

                local waf = lua_resty_waf:new()

                waf:exec()
            }

log_by_lua_block {
                local lua_resty_waf = require "resty.waf"

                local waf = lua_resty_waf:new()

                waf:write_log_events()
            }

            proxy_set_header    Host $host;
            proxy_set_header    X-Real-IP $remote_addr;
            proxy_set_header    X-Real-PORT $remote_port;
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass          http://192.168.250.232;
        }
    }

Example scenario :
Request : http://dvwa.com/vulnerabilities/sqli/?id=33%27&Submit=Submit#
request headers :

Host: dvwa.com:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dvwa.com/vulnerabilities/sqli/
Connection: keep-alive
Cookie: PHPSESSID=f0qtsct2jtjfu4ifvl67uovira; security=low
Upgrade-Insecure-Requests: 1

response : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''33''' at line 1

response headers :

HTTP/1.1 200 OK
Date: Sat, 20 Oct 2018 12:36:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 164
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Server: :)

mod security rule for the attack :

id:951230

Rule 951230 should deny the request by processing the response body but it doesn't do anything! Attack will done successfully!

I look forward for your respond! Thanks...
Regards,

The text was updated successfully, but these errors were encountered:

sandromodarelli · 2018-10-20T12:55:35Z

I have patched this issue and submitted the pull request #307
I hope you can test my solution and comment to the pull request so it can be marged in master branch

nimafia · 2018-10-20T13:42:12Z

Thanks for your respond,
now this is my /usr/local/openresty/site/lualib/resty/waf/collections.lua :

local _M = {}

local base      = require "resty.waf.base"
local logger    = require "resty.waf.log"
local request   = require "resty.waf.request"
local util      = require "resty.waf.util"

local string_format = string.format
local string_match  = string.match
local table_concat  = table.concat

_M.version = base.version

_M.lookup = {
        access = function(waf, collections, ctx)
                local request_headers     = ngx.req.get_headers()
                local request_var         = ngx.var.request
                local request_method      = ngx.req.get_method()
                local request_uri_args    = ngx.req.get_uri_args()
                local request_uri         = request.request_uri()
                local request_uri_raw     = request.request_uri_raw(request_var, request_method)
                local request_basename    = request.basename(waf, ngx.var.uri)
                local request_body        = request.parse_request_body(waf, request_headers, collections)
                local request_cookies     = request.cookies() or {}
                local request_common_args = request.common_args({ request_uri_args, request_body, request_cookies })
                local query_string        = ngx.var.query_string

                local query_str_size = query_string and #query_string or 0
                local body_size = ngx.var.http_content_length and tonumber(ngx.var.http_content_length) or 0

                collections.REMOTE_ADDR       = ngx.var.remote_addr
                collections.HTTP_VERSION      = ngx.req.http_version()
                collections.METHOD            = request_method
                collections.URI               = ngx.var.uri
                collections.URI_ARGS          = request_uri_args
                collections.QUERY_STRING      = query_string
                collections.REQUEST_URI       = request_uri
                collections.REQUEST_URI_RAW   = request_uri_raw
                collections.REQUEST_BASENAME  = request_basename
                collections.REQUEST_HEADERS   = request_headers
                collections.COOKIES           = request_cookies
                collections.REQUEST_BODY      = request_body
                collections.REQUEST_ARGS      = request_common_args
                collections.REQUEST_LINE      = request_var
                collections.PROTOCOL          = ngx.var.server_protocol
                collections.TX                = ctx.storage["TX"]
                collections.NGX_VAR           = ngx.var
                collections.MATCHED_VARS      = {}
                collections.MATCHED_VAR_NAMES = {}
                collections.SCORE_THRESHOLD   = waf._score_threshold

                collections.ARGS_COMBINED_SIZE = query_str_size + body_size

                local year, month, day, hour, minute, second = string_match(ngx.localtime(),
                        "(%d%d%d%d)-(%d%d)-(%d%d) (%d%d):(%d%d):(%d%d)")

                collections.TIME              = string_format("%d:%d:%d", hour, minute, second)
                collections.TIME_DAY          = day
                collections.TIME_EPOCH        = ngx.time()
                collections.TIME_HOUR         = hour
                collections.TIME_MIN          = minute
                collections.TIME_MON          = month
                collections.TIME_SEC          = second
                collections.TIME_YEAR         = year
        end,
        header_filter = function(waf, collections)
                local response_headers = ngx.resp.get_headers()

                collections.RESPONSE_HEADERS = response_headers
                collections.STATUS           = ngx.status
        end,
        body_filter = function(waf, collections, ctx)
                                if ctx.buffers == nil then
                        ctx.buffers  = {}
                        ctx.nbuffers = 0
                        ctx.res_length = 0
                        ctx.skip_buffering = false
                end
                local data  = ngx.arg[1]
                local eof   = ngx.arg[2]
                local index = ctx.nbuffers + 1
                local res_type   = collections.RESPONSE_HEADERS["content-type"]
                if not res_type or not util.table_has_key(res_type, waf._res_body_mime_types) then
                        ctx.short_circuit = not eof
                        return
                end
                if ctx.skip_buffering then
                        ctx.short_circuit = true
                        return
                else
                        ngx.arg[1] = nil
                end
                if data then
                        ctx.buffers[index] = data
                        ctx.nbuffers = index
                        ctx.res_length = ctx.res_length + string.len(data)
                end
                if eof or ctx.res_length > waf._res_body_max_size then
                        ctx.skip_buffering = true
                        local concatdata = table_concat(ctx.buffers, '')
                        collections.RESPONSE_BODY = concatdata
                        ngx.arg[1] = concatdata
                else
                        ctx.short_circuit = true
                        return
                end
                if eof then
                        ctx.short_circuit = false
                end
        end,
        log = function() end
}

return _M

I also reload openresty but it didn't change anything!!!!

rbustos · 2018-10-21T16:06:33Z

can you share : modsecurity.conf and debug?

rbustos · 2018-10-21T16:24:25Z

I did a test with same config as you and looks there is an error in your add_ruleset:

Acordding to "https://github.com/p0pr0ck5/lua-resty-waf#lua-resty-wafload_secrules"

Note that this still requires the ruleset to be added via add_ruleset (the basename of the file must be given as the key).

So I did a test as:

waf:set_option("add_ruleset", "REQUEST-901-INITIALIZATION.conf")

Where I get a 200 OK

But with:

waf:set_option("add_ruleset", "REQUEST-901-INITIALIZATION")

I get a 500

Below debug

2018/10/21 13:18:38 [error] 24742#24742: *2 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/waf.lua:524: could not find REQUEST-942-APPLICATION-ATTACK-SQLI
stack traceback:
coroutine 0:
[C]: in function 'error'
/usr/local/openresty/site/lualib/resty/waf/log.lua:45: in function 'fatal_fail'
/usr/local/openresty/site/lualib/resty/waf.lua:524: in function 'exec'
access_by_lua(lua-waf.inc:80):79: in function <access_by_lua(lua-waf.inc:80):1>, client: 127.0.0.1, server: _, request: "GET /?id=SELECT * HTTP/1.1", host: "localhost"

So my guess is your 200 is caused by your config:

                waf:set_option("add_ruleset", "REQUEST-901-INITIALIZATION**.conf**")
                waf:set_option("add_ruleset", "modsecurity**.conf**")

However even fixing this it result in 500 as error code.

rbustos · 2018-10-22T00:08:30Z

some extra tests:

to make it work path must be:

`        local ok, errs = pcall(function()
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-901-INITIALIZATION.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/crs-setup.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/modsecurity.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-905-COMMON-EXCEPTIONS.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-910-IP-REPUTATION.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-911-METHOD-ENFORCEMENT.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-912-DOS-PROTECTION.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-913-SCANNER-DETECTION.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-914-FILE-DETECTION.conf")
            --lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-921-PROTOCOL-ATTACK.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/REQUEST-949-BLOCKING-EVALUATION.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/RESPONSE-950-DATA-LEAKAGES.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/RESPONSE-959-BLOCKING-EVALUATION.conf")
            lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/RESPONSE-980-CORRELATION.conf")
        end)
`

Test : curl -svo /dev/null "http://localhost/?id=/etc/passwd"
Debug log:

`2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] translate.lua:30: warn(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var REQBODY_PROCESSOR, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] translate.lua:30: warn(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var REQBODY_PROCESSOR, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] translate.lua:30: warn(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var UNIQUE_ID, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] translate.lua:30: warn(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var DURATION, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:724: /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var REQBODY_PROCESSOR, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:714: load_secrules(): SecRule REQBODY_PROCESSOR !@rx (?:URLENCODED|MULTIPART|XML|JSON) id:901340, phase:1, pass, nolog, noauditlog, msg:'Enabling body inspection', tag:'paranoia-level/1', ctl:forceRequestBodyVariable=On, ver:'OWASP_CRS/3.1.0'

, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:724: /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var REQBODY_PROCESSOR, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:714: load_secrules(): SecRule TX:enforce_bodyproc_urlencoded @eq 1 id:901350, phase:1, pass, t:none,t:urlDecodeUni, nolog, noauditlog, msg:'Enabling forced body inspection for ASCII content', ver:'OWASP_CRS/3.1.0', chain
SecRule REQBODY_PROCESSOR !@rx (?:URLENCODED|MULTIPART|XML|JSON) ctl:requestBodyProcessor=URLENCODED

, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:724: /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var UNIQUE_ID, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:714: load_secrules(): SecRule UNIQUE_ID @rx ^. id:901410, phase:1, pass, t:sha1,t:hexEncode, nolog, setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'

, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:713: load_secrules(): /usr/local/openresty/site/lualib/resty/waf/translate.lua:724: /usr/local/openresty/site/lualib/resty/waf/translate.lua:670: no valid var DURATION, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [warn] 2661#2661: *1 [lua] waf.lua:714: load_secrules(): SecRule DURATION @rx (..)$ id:901420, phase:1, pass, capture, nolog, setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'

, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [error] 2661#2661: *1 [lua] access_by_lua(lua-waf.inc:112):72: nil, client: 127.0.0.1, server: _, request: "GET /?id=/etc/passwd HTTP/1.1", host: "localhost"
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] request.lua:31: parse_request_body(): [9399df10f117ed809e8d] Request has no content type, ignoring the body
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset crs-setup.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset modsecurity.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-901-INITIALIZATION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-905-COMMON-EXCEPTIONS.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-910-IP-REPUTATION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-911-METHOD-ENFORCEMENT.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-912-DOS-PROTECTION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-913-SCANNER-DETECTION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-914-FILE-DETECTION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-921-PROTOCOL-ATTACK.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-930-APPLICATION-ATTACK-LFI.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-931-APPLICATION-ATTACK-RFI.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-932-APPLICATION-ATTACK-RCE.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-933-APPLICATION-ATTACK-PHP.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-941-APPLICATION-ATTACK-XSS.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-942-APPLICATION-ATTACK-SQLI.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-944-APPLICATION-ATTACK-JAVA.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset REQUEST-949-BLOCKING-EVALUATION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset RESPONSE-950-DATA-LEAKAGES.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset RESPONSE-951-DATA-LEAKAGES-SQL.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset RESPONSE-952-DATA-LEAKAGES-JAVA.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset RESPONSE-953-DATA-LEAKAGES-PHP.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset RESPONSE-954-DATA-LEAKAGES-IIS.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset RESPONSE-959-BLOCKING-EVALUATION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:386: _merge_rulesets(): [9399df10f117ed809e8d] Adding ruleset RESPONSE-980-CORRELATION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 11000_whitelist
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 20000_http_violation
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 21000_http_anomaly
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 35000_user_agent
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 40000_generic_attack
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 41000_sqli
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 42000_xss
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 90000_custom
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:413: _merge_rulesets(): [9399df10f117ed809e8d] Ignoring ruleset 99000_scoring
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:512: exec(): [9399df10f117ed809e8d] Beginning run of phase access
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:515: exec(): [9399df10f117ed809e8d] Beginning ruleset REQUEST-901-INITIALIZATION.conf
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:541: exec(): [9399df10f117ed809e8d] Processing rule 901001
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:228: _build_collection(): [9399df10f117ed809e8d] Checking for collection_key TX|specific|CRS_SETUP_VERSION|nil
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:241: _build_collection(): [9399df10f117ed809e8d] Forcing cache miss
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] util.lua:228: _parse_collection(): [9399df10f117ed809e8d] Parse collection is getting a specific value: CRS_SETUP_VERSION
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:287: _process_rule(): [9399df10f117ed809e8d] Parsing dynamic pattern: 0
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] util.lua:150: parse_dynamic_value(): [9399df10f117ed809e8d] Parsed dynamic value is 0
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] waf.lua:305: _process_rule(): [9399df10f117ed809e8d] Match of rule 901001
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] actions.lua:77: [9399df10f117ed809e8d] Overriding status from 403 to 500
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] util.lua:150: parse_dynamic_value(): [9399df10f117ed809e8d] Parsed dynamic value is ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] storage.lua:131: persist(): [9399df10f117ed809e8d] Persisting storage type dict
2018/10/21 21:02:20 [debug] 2661#2661: *1 [lua] actions.lua:26: [9399df10f117ed809e8d] Rule action was DENY, so telling nginx to quit`

I've applied Sandro's patch with no luck yet

nimafia · 2018-10-22T06:02:37Z

can you share : modsecurity.conf and debug?

I haven't any error in debug! The response won't process even without loading modsecurity.conf, anyway :
modsecurity.conf:

# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On


# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On


# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "(?:text|application)/xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "application/json" \
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072

# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_".  The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
#SecRule TX:/^MSC_/ "!@streq 0" \
#         "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"


# -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies. 
# You should have this directive enabled in order to identify errors
# and data leakage issues.
# 
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On

# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml

# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288

# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial


# -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
# 
# This default setting is chosen due to all systems have /tmp available however, 
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/

# The location where ModSecurity will keep its persistent data.  This default setting 
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/


# -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/

# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600


# -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3


# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/


# -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &

# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0

# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127

# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On

Note that this still requires the ruleset to be added via add_ruleset (the basename of the file must be given as the key).

I did this in first place, but I got this error in debug :

2018/10/22 08:54:47 [error] 6731#0: *1 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/waf.lua:524: could not find REQUEST-901-INITIALIZATION
stack traceback:
coroutine 0:
[C]: in function 'error'
/usr/local/openresty/site/lualib/resty/waf/log.lua:45: in function 'fatal_fail'
/usr/local/openresty/site/lualib/resty/waf.lua:524: in function 'exec'
access_by_lua(waf-rules:74):73: in function <access_by_lua(waf-rules:74):1>, client: 192.168.250.71, server: dvwa.com, request: "GET / HTTP/1.1", host: "dvwa.com"

I got the best answer with this configuration format :
waf:set_option("add_ruleset", "REQUEST-901-INITIALIZATION.conf")

nimafia · 2018-10-22T10:02:50Z

can you share : modsecurity.conf and debug?

This issue occurs without loading modsecurity.conf too! It doesn't depend on this! There isn't any error in debug. Everything works fine and all request rules work perfect! The issue comes when we need to process response!

rbustos · 2018-10-23T01:51:45Z

I've continue testing your config and it complains on debug for crs-setup.conf as shown below

{"timestamp":1540258888,"request_headers":{"host":"myhost.tld","connection":"keep-alive","cache-control":"no-cache","referer":"http:\/\/myhost.tld\/customer\/%27%20UNION%20ALL%20SELECT%20NULL","pragma":"no-cache","user-agent":"Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36","cookie":"mwsid=2744d562255d8abc9f597572257fd9e9; csrf_token=9a3fe57137a292eaca1e0825a1294b524ffd8af7s%3A88%3A%22elZDc29JNkNFZ3pfZzM2R2l1SH5wVlM2UEY1YWZPREShbFnoXvLrgiyswd3S42mmV3_KLfBd3WKbWIc8e5VH2Q%3D%3D%22%3B","accept-language":"en-US,en;q=0.9","accept-encoding":"gzip, deflate","accept":"image\/webp,image\/apng,image\/*,*\/*;q=0.8"},"id":"e9cea3b9c25237f68e4b","method":"GET","uri":"\/static\/images\/bg.jpg","client":"172.16.100.50","alerts":[{"msg":"ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.","id":"901001","match":0},{"match":0,"id":"901100"},{"match":0,"id":"901110"},{"match":0,"id":"901120"},{"match":0,"id":"901125"},{"match":0,"id":"901130"},{"match":0,"id":"901140"},{"match":0,"id":"901141"},{"match":0,"id":"901142"},{"match":0,"id":"901143"},{"match":0,"id":"901150"},{"match":0,"id":"901152"},{"match":0,"id":"901160"},{"match":0,"id":"901162"},{"match":0,"id":"901168"},{"match":0,"id":"901163"},{"match":0,"id":"901164"},{"match":0,"id":"901165"},{"match":0,"id":"901166"},{"match":0,"id":"901167"},{"match":0,"id":"901180"},{"match":1,"id":"901318"},{"match":100,"id":"901400"},{"match":0,"id":"9001000"},{"match":0,"id":"9002000"},{"match":0,"id":"9003000"},{"match":0,"id":"9004000"},{"match":0,"id":"9005000"},{"match":0,"id":"910130"},{"match":1,"id":"910013"},{"match":1,"id":"911013"},{"match":0,"id":"912100"},{"match":1,"id":"913013"},{"match":1,"id":"914013"},{"match":1,"id":"921013"},{"match":1,"id":"930013"},{"match":1,"id":"931013"},{"match":1,"id":"932013"},{"match":1,"id":"933013"},{"match":1,"id":"941013"},{"match":1,"id":"942013"},{"match":1,"id":"943013"},{"match":1,"id":"944013"},{"match":1,"id":"949060"},{"match":1,"id":"949013"},{"match":1,"id":"980013"},{"msg":"ModSecurity internal error flagged: TX","id":"200005"}],"uri_args":{},"ngx":{"host":"myhost.tld","request_id":"f5a0c1329c3dae6d7a8394454539d28d","server_port":"80"}}

Once it is loaded with default config inside "SecDefaultAction" it fails, so Lua can't continue and shows: *2018/10/22 22:48:46 [error] 10537#10537: 3 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/waf.lua:524: could not find REQUEST-901-INITIALIZATION.conf

Some help is needed at this point..

nimafia · 2018-10-23T05:16:39Z

Thanks for your time, but I think your tests are changing the subject!
The configuration I wrote in the beginning is fine! It works like a charm! Our problem is something else!
We have a lua resty waf that works fine for the requests rules but it's not working for responses! The response body won't process normally!

rbustos · 2018-10-23T22:23:27Z

try with this:

        local deny_override = function(waf, ctx)
            ngx.log(ngx.INFO, "Overriding DENY action")
            waf:write_log_events(true, ctx)
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
        waf:set_option("hook_action", "DENY", deny_override)

JeffCleverley · 2019-02-14T07:57:23Z

Hey nimafia

If you notice the Nginx+ ModSec Waf also doesn't use the response header rules.

I took part in a webinar with the Nginx sales engineers where one of the topics was ModSec performance on Nginx+ and opensource, so I queried this specifically.

He confirmed that Nginx has issues with ModSec OWASPresponse rules currently and it doesn't work, the Nginx team are 'working' to fix this.

Perhaps this is the issue?

nimafia · 2019-02-14T08:25:00Z

Hi Jeff
I tested NGINX with OWASP ModSecurity, I didn't find any problem with response rules! I tested nginx-1.14.2 and modsec crs v3.1.0-rc2; response rules are successfully worked!

JeffCleverley · 2019-02-14T08:26:38Z

I can only report what he said. We were talking about 1.15.8, but I believe I have a recording if you would like?

It was a very generic answer.

nimafia · 2019-02-14T08:44:30Z

Recording would be helpful, it might clarify some ambiguities!
Thanks for sharing...

JeffCleverley · 2019-02-14T09:00:18Z

https://www.nginx.com/resources/webinars/tls-1-3-new-features-nginx-plus-r17-nginx-open-source/

You can register there, my colleage did make a screencast but probably just as easy to sign up.

(also the modsec section included nothing of worth, so just skip to the questions at the end - I specifically asked about response rules being excluded from their rollout of Nginx Waf)

p0pr0ck5 · 2019-03-14T16:04:42Z

@GumpSun please don't hijack someone else's issue; please open your own. Thanks!

r0ny111 · 2019-04-16T02:29:06Z

@p0pr0ck5 any update on this issue ?

-- Also you can see the user is trying to get the RESPONSE_BODY in the reverse proxy mode , may be i am wrong , waf is running only in the access phase , so it wont get response body?

icodus · 2020-05-27T00:12:22Z

@nimafia body_filter_by_lua should be put below the proxy_pass. Same with header_filter_by_lua. But seems collections.lua would still need a small fix.

icodus · 2020-05-27T00:16:59Z

@p0pr0ck5 Do you still accept PRs? Or too busy and not interested anymore? :-)
Anyways - thanks for the great code and fantastic articles on cryptobells.com

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Modsecurity response rules not working! - response body won't process! #311

Modsecurity response rules not working! - response body won't process! #311

nimafia commented Oct 20, 2018 •

edited

Loading

sandromodarelli commented Oct 20, 2018 •

edited

Loading

nimafia commented Oct 20, 2018

rbustos commented Oct 21, 2018

rbustos commented Oct 21, 2018 •

edited

Loading

rbustos commented Oct 22, 2018 •

edited

Loading

nimafia commented Oct 22, 2018

nimafia commented Oct 22, 2018

rbustos commented Oct 23, 2018

nimafia commented Oct 23, 2018

rbustos commented Oct 23, 2018

JeffCleverley commented Feb 14, 2019

nimafia commented Feb 14, 2019

JeffCleverley commented Feb 14, 2019

nimafia commented Feb 14, 2019

JeffCleverley commented Feb 14, 2019 •

edited

Loading

p0pr0ck5 commented Mar 14, 2019

r0ny111 commented Apr 16, 2019 •

edited

Loading

icodus commented May 27, 2020

icodus commented May 27, 2020

Modsecurity response rules not working! - response body won't process! #311

Modsecurity response rules not working! - response body won't process! #311

Comments

nimafia commented Oct 20, 2018 • edited Loading

sandromodarelli commented Oct 20, 2018 • edited Loading

nimafia commented Oct 20, 2018

rbustos commented Oct 21, 2018

rbustos commented Oct 21, 2018 • edited Loading

rbustos commented Oct 22, 2018 • edited Loading

nimafia commented Oct 22, 2018

nimafia commented Oct 22, 2018

rbustos commented Oct 23, 2018

nimafia commented Oct 23, 2018

rbustos commented Oct 23, 2018

JeffCleverley commented Feb 14, 2019

nimafia commented Feb 14, 2019

JeffCleverley commented Feb 14, 2019

nimafia commented Feb 14, 2019

JeffCleverley commented Feb 14, 2019 • edited Loading

p0pr0ck5 commented Mar 14, 2019

r0ny111 commented Apr 16, 2019 • edited Loading

icodus commented May 27, 2020

icodus commented May 27, 2020

nimafia commented Oct 20, 2018 •

edited

Loading

sandromodarelli commented Oct 20, 2018 •

edited

Loading

rbustos commented Oct 21, 2018 •

edited

Loading

rbustos commented Oct 22, 2018 •

edited

Loading

JeffCleverley commented Feb 14, 2019 •

edited

Loading

r0ny111 commented Apr 16, 2019 •

edited

Loading