Modsecurity + Nginx Only warnings in log file, no blocking of attacks

[AnnuA]

I have Nginx 1.14.0, Modsecurity 3 with nginx connector. Owasp 3.0.0. Ubuntu -14.04.

Modsecurity is not blocking attacks although warning logs can be seen in /var/log/modsec_audit.log.
Also, I do have SecRuleEngine On in my modsecurity.conf.
Also, replaced "Include /usr/local/owasp-modsecurity-crs/rules/*.conf" with list of individual conf file as answered in SpiderLabs/owasp-modsecurity-crs#777 .
Why it is not blocking the attack?

Below is my /etc/nginx/conf.d/default.conf file contents:

server {
    listen       80;
    server_name  localhost;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        proxy_pass http://192.168.100.145:8080/;
    }

Is it something related with anomaly score? because attack is blocked when Self-contained mode is enabled instead of Anomaly mode(Default) in /usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf.

I have attached modsec_audit.log.
modsec_audit.log

[victorhora]

Hi @AnnuA,

Are you using the latest codebase of ModSecurity 3 from master?

By looking at your audit logs I think there's a chance that your issue is related with issue owasp-modsecurity/ModSecurity#1808.

You could maybe try with an earlier version (e.g. 3.0.2 / 3.0.1) OR test it with applying owasp-modsecurity/ModSecurity#1810 to see if the issue persists?

[AnnuA]

Yes @victorhora , I am using latest codebase.
I have tried using TX.PARANOIA_LEVEL instead tx.paranoia_level, still does not work.
Can you please send me the link for codebase 3.0.1.

[AnnuA]

I have installed modsecurity from branch v3/twaf/v3.0.2.
Now, it is working.

[victorhora]

Ok @AnnuA, so it might be related with owasp-modsecurity/ModSecurity#1808. You can keep using 3.0.2 until the fix is applied to the master. As I've mentioned, there's also an experimental fix that you can also try.

By the way, you can use the branch v3/twaf/v3.0.2 as you've mentioned, but the official releases are available here: https://github.com/SpiderLabs/ModSecurity/releases

Thanks for the feedback.

[victorhora]

As pointed out by @zimmerle at owasp-modsecurity/ModSecurity#1808 (comment), this has been fixed by commit owasp-modsecurity/ModSecurity@d810de9.
So please clone the current code at master and the issue should be fixed.

Closing this one. If the issue persists, let us know and we can reopen. Thanks.