Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tip to get this plugin working #25

Open
STonEDSTonE opened this issue May 9, 2023 · 1 comment
Open

Tip to get this plugin working #25

STonEDSTonE opened this issue May 9, 2023 · 1 comment

Comments

@STonEDSTonE
Copy link

Hi,

i just installed ModSecurity (2.9.7) and OWASP_CRS (3.3.4) for my Nextcloud installation.
As expected, nothing worked anymore, which is why I tried to install this plugin by following the mentioned https://coreruleset.org/docs/concepts/plugins/#how-to-install-a-plugin
So I created the crs/plugins folder and placed the config files inside that folder:

media@media-server:~$ ls -l /etc/modsecurity/crs/plugins/
total 28
-rw-r--r-- 1 root root 22806 Mai  9 12:14 nextcloud-rule-exclusions-before.conf
-rw-r--r-- 1 root root  1634 Mai  9 12:14 nextcloud-rule-exclusions-config.conf

But I saw no difference in appearance (browser apps do not work, desktop client can't connect) and in the audit.log, as if the plugin does not load at all:

sudo tail -f /var/log/apache2/modsec_audit.log
Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "44"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 192.168.X.X] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "44"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "REDACTED.ddns.net"] [uri "/ocs/v2.php/apps/user_status/api/v1/heartbeat"] [unique_id "ZFoiGy9GqzS5o9NoQUbhiAAAAAo"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 192.168.X.X] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "REDACTED.ddns.net"] [uri "/ocs/v2.php/apps/user_status/api/v1/heartbeat"] [unique_id "ZFoiGy9GqzS5o9NoQUbhiAAAAAo"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 192.168.X.X] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "REDACTED.ddns.net"] [uri "/index.php/error/403"] [unique_id "ZFoiGy9GqzS5o9NoQUbhiAAAAAo"]
Action: Intercepted (phase 2)
Apache-Handler: proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost
Stopwatch: 1683628571613387 72442 (- - -)
Stopwatch2: 1683628571613387 72442; combined=5290, p1=648, p2=4462, p3=0, p4=0, p5=180, sr=138, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/3.3.4.
Server: Apache/2.4.57 (Ubuntu)
Engine-Mode: "ENABLED"

So I went digging for a bit.
Apache should load the CRS from here:

media@media-server:~$ cat /etc/apache2/mods-enabled/security2.conf
<IfModule security2_module>
        ...
	# Include OWASP ModSecurity CRS rules if installed
	IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
</IfModule>

And in the .load file it should load the config files:

media@media-server:~$ cat /usr/share/modsecurity-crs/owasp-crs.load
##
## This file loads OWASP CRS's rules when the package is installed
## It is Included by libapache2-mod-security2
##
Include /etc/modsecurity/crs/crs-setup.conf
IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/share/modsecurity-crs/rules/*.conf
IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

I felt like there should be a Include in that file for the plugins, so i put those in myself:
Include /etc/modsecurity/crs/plugins/-config.conf
Include /etc/modsecurity/crs/plugins/
-before.conf

And now it works.
That took me a bit of time so I thought I would share this here, it would be nice if this information could be put into https://github.com/coreruleset/nextcloud-rule-exclusions-plugin#installation so others can save some time and hassle :)

@azurit
Copy link
Member

azurit commented May 11, 2023

Hi,

you can find this information here:
https://coreruleset.org/docs/concepts/plugins/#how-do-plugins-work-conceptually

Plugins are a new feature which will be included in CRS 4.0, so older versions are not prepared for them and needs to be adjusted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants