Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build without docker succeeds but modsecurity is not working #70

Open
labros-zotos opened this issue Apr 23, 2024 · 0 comments
Open

Build without docker succeeds but modsecurity is not working #70

labros-zotos opened this issue Apr 23, 2024 · 0 comments

Comments

@labros-zotos
Copy link

labros-zotos commented Apr 23, 2024
edited
Loading

Hi, I have used modsecurity-spoa successfully by building the container image from the Dockerfile you include.

For my application I wanted to build it directly in an ubuntu 22.04 server VM.
I basically follow the steps/commands included in the Dockerfile, making the necessary changes to point to the correct library paths, and I am just not using tini.

I successfully build the modsececurity spoa (I ensured I use all the same apache,apr,apr-util,libxml,pcre... library versions that the docker container uses) and it runs and communicates with my Haproxy service.

But when I try it the modsecurtiy never returns code 403 for requests that should and do get blocked by modsecurtiy-spoa when run with Docker.

More specifically after enabling debugging I get the following different logs for the two setups(docker, ubuntu):

Modsecurity-spoa Docker:

New Client connection accepted and assigned to worker
read_frame_cb
New Frame of 129 bytes received
Decode HAProxy HELLO frame
Supported versions : 2.0
HAProxy maximum frame size : 16380
HAProxy capabilities : pipelining,async
HAProxy supports frame pipelining
HAProxy supports asynchronous frame
HAProxy engine id : 480064ad-1d90-4ad7-8602-22015c8187b8
Encode Agent HELLO frame
Agent version : 2.0
Agent maximum frame size : 16380
Agent capabilities :
write_frame_cb
Frame of 54 bytes send
read_frame_cb
New Frame of 448 bytes received
Decode HAProxy NOTIFY frame
STREAM-ID=19 - FRAME-ID=1 - unfragmented frame received - frag_len=0 - len=448 - offset=7
Process frame messages : STREAM-ID=19 - FRAME-ID=1 - length=441 bytes
Process SPOE Message 'check-request'
[client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:host. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.122.37"] [severity "WARNING"] [ver "OWASP_CRS/3.3.5"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "7673d7acd20e"] [uri "http://192.168.122.37/"] [unique_id ""]
Encode Agent ACK frame
STREAM-ID=19 - FRAME-ID=1
Add action : set variable code=403
write_frame_cb
Frame of 22 bytes send
read_frame_cb
New Frame of 391 bytes received
Decode HAProxy NOTIFY frame
STREAM-ID=21 - FRAME-ID=1 - unfragmented frame received - frag_len=0 - len=391 - offset=7
Process frame messages : STREAM-ID=21 - FRAME-ID=1 - length=384 bytes
Process SPOE Message 'check-request'
New Client connection accepted and assigned to worker 04
read_frame_cb
New Frame of 129 bytes received
Decode HAProxy HELLO frame
Supported versions : 2.0
HAProxy maximum frame size : 16380
HAProxy capabilities : pipelining,async
HAProxy supports frame pipelining
HAProxy supports asynchronous frame
HAProxy engine id : 480064ad-1d90-4ad7-8602-22015c8187b8
Encode Agent HELLO frame
Agent version : 2.0
Agent maximum frame size : 16380
Agent capabilities : 
write_frame_cb
Frame of 54 bytes send
[client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:host. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.122.37"] [severity "WARNING"] [ver "OWASP_CRS/3.3.5"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "7673d7acd20e"] [uri "http://192.168.122.37/favicon.ico"] [unique_id ""]
Encode Agent ACK frame
STREAM-ID=21 - FRAME-ID=1
Add action : set variable code=403
write_frame_cb
Frame of 22 bytes send

Modsecurity-spoa build in ubuntu22 VM:

New Client connection accepted and assigned to worker
read_frame_cb
New Frame of 129 bytes received
Decode HAProxy HELLO frame
Supported versions : 2.0
HAProxy maximum frame size : 16380
HAProxy capabilities : pipelining,async
HAProxy supports frame pipelining
HAProxy supports asynchronous frame
HAProxy engine id : 480064ad-1d90-4ad7-8602-22015c8187b8
Encode Agent HELLO frame
Agent version : 2.0
Agent maximum frame size : 16380
Agent capabilities :
write_frame_cb
Frame of 54 bytes send
read_frame_cb
New Frame of 472 bytes received
Decode HAProxy NOTIFY frame
STREAM-ID=23 - FRAME-ID=1 - unfragmented frame received - frag_len=0 - len=472 - offset=7
Process frame messages : STREAM-ID=23 - FRAME-ID=1 - length=465 bytes
Process SPOE Message 'check-request'
Encode Agent ACK frame
STREAM-ID=23 - FRAME-ID=1
Add action : set variable code=4294967195
write_frame_cb
Frame of 30 bytes send
New Client connection accepted and assigned to worker 02
read_frame_cb
New Frame of 391 bytes received
Decode HAProxy NOTIFY frame
STREAM-ID=25 - FRAME-ID=1 - unfragmented frame received - frag_len=0 - len=391 - offset=7
Process frame messages : STREAM-ID=25 - FRAME-ID=1 - length=384 bytes
Process SPOE Message 'check-request'
read_frame_cb
Encode Agent ACK frame
STREAM-ID=25 - FRAME-ID=1
Add action : set variable code=4294967195
write_frame_cb
Frame of 30 bytes send
New Frame of 129 bytes received
Decode HAProxy HELLO frame
Supported versions : 2.0
HAProxy maximum frame size : 16380
HAProxy capabilities : pipelining,async
HAProxy supports frame pipelining
HAProxy supports asynchronous frame
HAProxy engine id : 480064ad-1d90-4ad7-8602-22015c8187b8
Encode Agent HELLO frame
Agent version : 2.0
Agent maximum frame size : 16380
Agent capabilities :
write_frame_cb
Frame of 54 bytes send

I understand this may not be directly an issue with your code as you intended it to be used with Docker but I would greatly appreciate it if you had any suggestion on how to go about fixing this issue.
I have also enabled SecDebugLog and SecDebugLogLevel 9 and while the owasp configuration is the same for the two setups when the modsecurity-spoa is run locally on ubuntu it does not trigger any rule.

Thank you.
@labros-zotos labros-zotos changed the title Build outside docker succeeds but modsecurity is not working Build without docker succeeds but modsecurity is not working Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@labros-zotos