10GB ModSecurity File - Tons of 920100 Warnings. Need Help Understanding Rule Violation-CodePudding

I'm fairly new to ModSecurity3 Nginx. I found out today that my server froze up because ModSecurity created tons of log files 10GB each and the server ran out of disk space. The Audit Log is set to "Relevant Only" to show Warning and Errors. I found there are just too many Warnings showing up.

After investigating, I am seeing that 99% of the vast majority of the warnings are all the same, like below:

---5jn0CgkO---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^(?i:(?:[a-z]{3,10}\s (?:\w{3,7}?://[\w\-\./]*(?::\d )?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d )?|options \*)\s [\w\./] |get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$' against variable `REQUEST_LINE' (Value: `GET /sale/kenwood-kac-6402-by-download-mauritron-221328-264064/ HTTP/2.0' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "47"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /sale/kenwood-kac-6402-by-download-mauritron-221328-264064/ HTTP/2.0"] [severity "4"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "***.***.***.***"] [uri "/sale/kenwood-kac-6402-by-download-mauritron-221328-264064/"] [unique_id "166725616876.036760"] [ref "v0,72"]

I have a marketplace site where people sell things for sale, so each URL that shows up here is in the same format "/sale/something-for-sale-123456/".

Can someone explain what is actually wrong with the website and how to fix it? I know how to create an exception to "hide" the warnings, but I'd like to address the root cause.

Thanks

CodePudding user response：

You didn't mention which CRS you use - I assume it is some 3.x version.

The newest version of CRS (4.0) contains much better description for each rules, so I suggest you first read about the comment of the mentioned rule here.

As you can see there, there is a line with text: To update the regular expression run the following shell script...

In 4.0, each rule which uses @rx has a data file, from which the regular expression generated. In case of this rule, the data file is this.

I'm sure that reading the comments will help to understand the mechanism of the rule.

Based on the regex and your log entry, I can confirm, that this rule triggers if the URL looks like what you show. The detailed regex101 page is here.

To help the work of CRS team, you should open a new issue on Github, give the detailed information (version, etc...), because this is a false positive hit, and we want to care these problems.

As workaround, you can make an exclusion, like this:

SecRule REQUEST_LINE "@beginsWith /sale/" \
    "id:100001,\
    phase:1,\
    t:none,\
    pass,\
    ctl:ruleRemoveById=920100"