libModSecurity3: all triggered rule IDs sometimes won't be logged with anomaly scoring

[EsadCetiner]

Describe the bug

ModSecurity sometimes doesn't fully log all of the rule IDs triggered within a request, this is annoying with false positives as you'll have to go through multiple tuning iterations just to resolve one false positive. This happens on both detection only mode and blocking mode. I haven't been able to find a reason behind what's causing this, but I do know how to trigger the issue.

Logs and dumps

N/A See below

To Reproduce

I have some test payloads in my SOGo plugin that have this issue, run them against CRS using go-ftw 0.6.4
https://coreruleset.org/docs/development/testing/
I'll be using this test as an example: https://github.com/EsadCetiner/sogo-rule-exclusions-plugin/blob/b224054707ca0d0e7b73c9af4b1ae265970baf98/tests/regression/sogo-rule-exclusions-plugin/9520130.yaml#L8

As an end user, I get a false positive like this:

---5DJqybFW---A--
[31/Jul/2024:16:30:10 +1000] 172240741056.351112 127.0.0.1 56232 127.0.0.1 8080
---5DJqybFW---B--
POST /SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---5DJqybFW---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---5DJqybFW---D--

---5DJqybFW---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---5DJqybFW---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 31 Jul 2024 06:30:10 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---5DJqybFW---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `41' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 41)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref ""]

So then I create a rule exclusion thinking it'll fix the issue

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

Then later on I encounter the exact same false positive with the exact same payload:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Now I have to modify my previous rule exclusion to exclude the new rule IDs showing up

SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/saveAsTask$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=920273;ARGS_NAMES:json.$hasAlarm,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.completedDate,\
    ctl:ruleRemoveTargetById=942432;ARGS:json.id,\
    ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
    ctl:ruleRemoveTargetById=920273;REQUEST_BODY"

But if you pay attention to the anomaly score, you'll see that there's a score of 28 but only 2 rules have been logged (both adding up to 8 points). I'll have to do a few more iterations before this false positive can be fully resolved.

Expected behavior

I should be able to see all of the rule IDs triggered the first time so I can fully resolve the false positive the first time. Something like this:

---ibRMdl5Z---A--
[02/Aug/2024:13:12:32 +1000] 17225683525.862245 127.0.0.1 49264 127.0.0.1 8080
---ibRMdl5Z---B--
POST /SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Connection: close
Content-Length: 616
Content-Type: application/json;charset=UTF-8
Host: localhost
User-Agent: SOGo rule exclusions plugin

---ibRMdl5Z---C--
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z", "$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true, "id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}], "summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test", "location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}

---ibRMdl5Z---D--

---ibRMdl5Z---E--
<html>\x0d\x0a<head><title>404 Not Found</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>404 Not Found</h1></center>\x0d\x0a<hr><center>nginx/1.18.0 (Ubuntu)</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---ibRMdl5Z---F--
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Aug 2024 03:12:32 GMT
Content-Length: 162
Content-Type: text/html
Connection: close

---ibRMdl5Z---H--
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `REQUEST_BODY' (Value: `{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37: (516 characters omitted)' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "REQUEST_BODY={\x22categories\x22:[],\x22alarm\x22:{},\x22delta\x22:60,\x22pid\x22:\x22personal\x22,\x22type\x22:\x22task\x22,\x22completed\x22:\x222024-03-04T15:37:15.262Z\x22, \x22$hasAlarm\x22:false,\x22classification\x22:\x22confidential\x22,\x22destinationCalendar\x22:\x22pers (429 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUnio0,1o1,1o12,1o14,1o15,1o17,1o23,1o25,1o26,1o28,1o34,1o39,1o43,1o45,1o54,1o56,1o61,1o63,1o68,1o70,1o80,1o82,1o107,1o109,1o110,1o111,1o120,1o128,1 (526 characters omitted)"]
ModSecurity: Warning. Matched "Operator `EndsWith' with parameter `.localhost' against variable `TX:rfi_parameter_ARGS:json.attachUrls.array_0.value' (Value: `.example.com' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"] [line "116"] [id "931130"] [rev ""] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://example.com found within TX:rfi_parameter_ARGS:json.attachUrls.array_0.value: .example.com"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-rfi"] [tag "paranoia-level/2"] [tag "OWASP_CRS"] [tag "capec/1000/152/175/253"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o0,19o8,11v30,20"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completedDate' (Value: `2024-03-05' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completedDate: 2024-03-05"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172240741056.351112"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUnio4,4o4,4v19,10t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS_NAMES:json.$hasAlarm' (Value: `json.$hasAlarm' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS_NAMES:json.$hasAlarm=json.$hasAlarm"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUnio5,1v0,14t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.id' (Value: `1BB-65E5EA80-1-7B69C580.ics' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -65E5EA80- found within ARGS:json.id: 1BB-65E5EA80-1-7B69C580.ics"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUnio3,10o3,10v8,27t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS:json.attachUrls.array_0.value' (Value: `https://example.com/' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1801"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS:json.attachUrls.array_0.value=https://example.com/"] [severity "2"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o6,1o7,1o19,1v30,20t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})' against variable `ARGS:json.completed' (Value: `2024-03-04T15:37:15.262Z' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1952"] [id "942432"] [rev ""] [msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] [data "Matched Data: -03- found within ARGS:json.completed: 2024-03-04T15:37:15.262Z"] [severity "4"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "172256882058.056791"] [ref "o4,4o4,4v15,10t:urlDecodeUnio4,4o4,4v11,24t:urlDecodeUnio4,4o4,4v13,10t:urlDecodeUnio4,4o4,4v9,24t:urlDecodeUnio4,4o4,4v15,24t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.5.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "127.0.0.1"] [uri "/SOGo/so/user@example.com/Calendar/mycalendar/calendar.ics/saveAsTask"] [unique_id "17225683525.862245"] [ref ""]

---ibRMdl5Z---I--

Server:

• ModSecurity version: ModSecurity v3.0.12 with nginx-connector v1.0.3
• WebServer: Nginx 1.18.0
• OS (and distro): Ubuntu 22.04

Rule Set: CRSv4.5.0

Additional context

N/A

[airween]

Hi @EsadCetiner,

thanks for this detailed report.

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

[EsadCetiner]

@EsadCetiner

First of all, let me ask you: lines in H section under expected behavior part have different unique_id. There are 3 or 4 different id, but - as I know - in a transaction the unique id's must be the same.

Is this just a typo?

Yes, I was just showing how I approximately wanted the log output to look like.

Btw there is known bug in libmodsecurity3: if a rule matches with multiple targets, then only one target will be logged. But the TX anomaly score is incremented "normally". May be you ran into this problem?

Yeah I think that's the issue I'm encountering. Only 3 rules are being triggered in the example payload I used, 942432, 931130, and 920273 (I didn't notice this before). By the way, I couldn't find an open issue related to this in this repo or the nginx one.

[airween]

Okay, thanks for confirm the behavior.

By the way, I couldn't find an open issue related to this in this repo or the nginx one.

Then this is the one which describes the bug :).

Thanks.