coreruleset: 10GB ModSecurity File - Tons of 920100 Warnings. Need Help Understanding Rule Violation

CRS 3.3.2 (and 4.0.0) Paranoia Level: 1 ModSecurity 3.0.8 ModSecurity-nginx connector 1.0.3 Nginx 1.23.2 Ubuntu 22.04

CSR 920100 Warnings:

I had a question over at stackoverflow about this: https://stackoverflow.com/questions/74269998/10gb-modsecurity-file-tons-of-920100-warnings-need-help-understanding-rule-vi/74322954#74322954 . The person who answered says this is a false positive and recommended that I report it here. They provided a detailed confirmation with the regex as well.

Basically, almost every webpage loaded causes the same type of error. This is an example part of the log:

---5jn0CgkO---H-- ModSecurity: Warning. Matched "Operator Rx’ with parameter ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$' against variable REQUEST_LINE’ (Value: GET /sale/kenwood-kac-6402-by-download-mauritron-221328-264064/ HTTP/2.0' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "47"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /sale/kenwood-kac-6402-by-download-mauritron-221328-264064/ HTTP/2.0"] [severity "4"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "***.***.***.***"] [uri "/sale/kenwood-kac-6402-by-download-mauritron-221328-264064/"] [unique_id "166725616876.036760"] [ref "v0,72"]

I’m fairly unversed in CSR error analysis or regex, but was hoping there was a way to fix the root cause. It sounds like I will have to write a custom exception to hide the 10GB of warnings. Note, this doesn’t appear to be blocking users, but I had so many warnings showing up in my logs that all the disk space on the web server got used up and crashed everything.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 51 (25 by maintainers)

Most upvoted comments

@peppies @airween @theseion @dune73

I suspected it was an issue with one of the PCRE dependencies, so in order to reduce variables, I decided to reinstall without using the ondrej repository. Now I have everything working with Nginx 1.23.2 ModSecurity 3.0.8 ModSecurity-nginx 1.0.3

Also I didn’t have to touch my config files under /etc/nginx/modsec (including coreruleset-3.3.4 left alone).

How I did it:

  1. Remove ondrej repository sudo add-apt-repository --remove ppa:ondrej/nginx-mainline sudo apt update sudo apt install ppa-purge sudo ppa-purge ppa:ondrej/nginx-mainline sudo apt clean sudo apt autoremove sudo apt update

  2. Remove nginx installed from ondrej repository sudo apt remove nginx sudo apt remove nginx-common

  3. At this point there were some packages which showed error removing as still-in-use dependencies. List problem packages with: sudo apt list libpcre* --installed

For example my list included … libpcre16-3/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcre3-dev/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcre32-3/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcre3/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local] libpcrecpp0v5/now 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,local]

Then for each, show available version from ubuntu repository, example:

sudo apt list libpcre16-3 -a Listing… Done libpcre16-3/jammy-updates,jammy-security,now 2:8.39-13ubuntu0.22.04.1 amd64 libpcre16-3/jammy 2:8.39-13build5 amd64

Downgrade to version from jammy-updates repository

sudo apt install libpcre16-3=2:8.39-13ubuntu0.22.04.1

Repeat for all (5 packages downgraded in my case)

  1. Install Nginx from official Nginx mainline repository (from http://nginx.org/en/linux_packages.html#Ubuntu)

sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

echo “deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg]
http://nginx.org/packages/mainline/ubuntu lsb_release -cs nginx”
| sudo tee /etc/apt/sources.list.d/nginx.list

echo -e “Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n”
| sudo tee /etc/apt/preferences.d/99nginx

sudo apt update sudo apt install nginx

  1. Install ModSecurity and ModSecurity-nginx both from latest sources

apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre+±dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

sudo rm -rf /usr/local/modsecurity sudo rm -rf /usr/local/src/* cd /usr/local/src

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

cd ModSecurity git submodule init git submodule update ./build.sh ./configure make sudo make install cd …

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

wget http://nginx.org/download/nginx-1.23.2.tar.gz tar zxvf nginx-1.23.2.tar.gz

cd nginx-1.23.2 ./configure --with-compat --add-dynamic-module=…/ModSecurity-nginx make modules sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules cd …

+3
Lenny1791 on Nov 7, 2022

Ha! Found it!

    std::vector<Utils::SMatchCapture> captures;
    if (re->hasError()) {
        ms_dbg_a(transaction, 3, "Error with regular expression: \"" + re->pattern + "\"");
        return false;
    }

It’s a new check int ModSecurity v3.0.7, introduced in https://github.com/SpiderLabs/ModSecurity/commit/1aa7616c189cd12226c74755b35538f4937a135e.

+3
theseion on Nov 6, 2022

@theseion

I completely uninstalled and reinstalled everything using the guide here: https://www.linuxcapable.com/how-to-install-nginx-with-modsecurity-3-on-ubuntu-22-04-lts/?mtm_campaign=reddit#Install_libmodsecurity3_for_ModSecurity

The only exception is that I followed your recommendation to install v3.0.6 of ModSecurity using:

sudo git clone --depth 1 -b v3.0.6 https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/

This did not resolve the issue, I am still seeing the same warnings with rule 920100.

+1
peppies on Nov 7, 2022

I was thinking that it might fail to compile on one of their systems. In any case, I think the next step should be to try ModSecurity v3.0.6, before the introduction of that check and PCRE2 support.

+1
theseion on Nov 6, 2022

We had two other people complain of similar, fundamental problems (and really weird problems) with ModSecurity 3 the other month: #2752. Rule 920100 was also in question, there. It all sounds very similar (although I haven’t had time to properly look at this new issue or compare them, yet.)

It really does sound like there’s a bad build or a bad release of something out there…

+1
RedXanadu on Nov 5, 2022

I took a peek at the logs. Error with regular expression looks extremely suspicious but it doesn’t seem to come from ModSecurity. Could it be comeing from PCRE?

+1
theseion on Nov 5, 2022
Read more comments on GitHub
← coreruleset: Rule: 942370: False positive 0202 - reopened
coreruleset: 942310 regular suspected error →