jcmoraisjr / modsecurity-spoa Goto Github PK

CentOS 7, haproxy HAProxy version 2.4.17-9f97155 2022/05/13

Hello!

I'm using docker from this repo with default configs.
Start it with command to run it only on localhost: docker run -d -p 127.0.0.1:12345:12345 -v $PWD/modsecurity:/etc/modsecurity quay.io/jcmoraisjr/modsecurity-spoa -n 1

In haproxy.cfg I added:

frontend portal 
    bind 0.0.0.0:9443 ssl crt /etc/haproxy/xxx.pem 
    bind 0.0.0.0:9080
    mode http
    filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
    http-request deny if { var(txn.modsec.code) -m int gt 0 }
    ........

backend spoe-modsecurity
    mode tcp
    server modsec-spoa1 127.0.0.1:12345

But in docker logs of ModSecurity container I don't see connected clients and requests doesn't block:

Using options: -n 1
Using config files:
  - /etc/modsecurity/modsecurity.conf
  - /etc/modsecurity/owasp-modsecurity-crs.conf
1655810827.029327 [00] ModSecurity for nginx (STABLE)/2.9.5 (http://www.modsecurity.org/) configured.
1655810827.029356 [00] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
1655810827.029362 [00] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12"
1655810827.029366 [00] ModSecurity: YAJL compiled version="2.1.0"
1655810827.029369 [00] ModSecurity: LIBXML compiled version="2.9.12"
1655810827.029419 [00] ModSecurity: StatusEngine call: "2.9.5,nginx,1.7.0/1.7.0,8.44/8.44 2020-02-12,(null),2.9.12,18"
1655810832.034177 [00] ModSecurity: StatusEngine call failed. Query: GIXDSLRVFRXGO2LOPAWDCLRXFYYC6MJO.G4XDALBYFY2DILZYFY2DIIBSGAZDALJQ.GIWTCMRMFBXHK3DMFEWDELRZFYYTELBR.HA.1655810827.status.modsecurity.org
1655810837.040252 [01] 0 clients connected
1655810842.040895 [01] 0 clients connected
1655810847.037005 [01] 0 clients connected
1655810852.040456 [01] 0 clients connected
1655810857.037018 [01] 0 clients connected
1655810862.038020 [01] 0 clients connected
1655810867.037991 [01] 0 clients connected
1655810872.037994 [01] 0 clients connected

In my equal test environment all is ok, malicious request successfully blocked.

Can you help me, please?

Can use modsec and haproxy config on centos 7 bare metal server? i need security config for sql injection and placed on haproxy

Hi @jcmoraisjr,

Great work on this project.

Are there any plans to update modsecurity and haproxy versions? I can send a pull request if you like, but would like to know how you test this.

Regards

there a way to update CRS and reload spoa without impact on haproxy using it ?

I am trying to set this up, but currently getting a StatusCallEngine call failed:

See Logs:
1656043101.401659 [00] ModSecurity: LIBXML compiled version="2.9.12"
1656043101.401849 [00] ModSecurity: StatusEngine call: "2.9.5,nginx,1.7.0/1.7.0,8.44/8.44 2020-02-12,(null),2.9.12,d1"
1656043106.408018 [00] ModSecurity: StatusEngine call failed. Query: GIXDSLRVFRXGO2LOPAWDCLRXFYYC6MJO.G4XDALBYFY2DILZYFY2DIIBSGAZDALJQ.GIWTCMRMFBXHK3DMFEWDELRZFYYTELDE.GE.165604310

I am also trying to set this up as an external waf for pfsense 2.6 haproxy.

Hi,

We keep getting this error message when trying to upload using multipart/form-data

1665630094.604893 [00] [client 127.0.0.1] ModSecurity: Warning. Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "74"] [id "200002"] [msg "Failed to parse request body."] [data "Multipart parsing error: Multipart: Final boundary missing."] [severity "CRITICAL"] [hostname "8e9f8da27b98"] [uri "https://xxxxxx/admin/settlement/upload"] [unique_id ""]

Please help

Thank you for all your hard work, we have been using ModSecurity with your HAProxy Ingress chart for a while.

We recently migrated our cluster to arm64, so in order to continue to use ModSecurity to use with HAProxy, we need to maintain our own container image based on your https://github.com/jcmoraisjr/modsecurity-spoa/blob/master/rootfs/Dockerfile.

Would it be possible to add linux/arm64 as a platform in your image?

Hey,

first of all would like to say thanks a ton for sharing this to the world, but could you please tweak the commandline on running the agent for some people don't know to expose docker service

$ docker run quay.io/jcmoraisjr/modsecurity-spoa [options] [-- <config-file1> [<config-file2> ...] ]
into
$ docker run -p 12345:12345 quay.io/jcmoraisjr/modsecurity-spoa [options] [-- <config-file1> [<config-file2> ...] ]
`

just my 0.2$

We are observing serious issues with memory consumption on V2 of ModSecurity in our kubernetes clusters.
We run performance tests against our application deployments, the ModSecurity containers just acrue memory to absurd levels and no garbage collection is done once the performance test is finished.
Right now we are just deleting and redeploying the ModSecurity deployment before each performance test to mitigate this problem, but we are looking for a long-term solution.

From what I've read on different issues pages, it looks like there are a lot of memory leaks that can occur in V2 of ModSecurity that are fixed in V3.
I was wondering if there are plans to upgrade the ModSecurity version to V3?

When running the docker image the logs are quite big with "x clients connected" logging all the time.
It is not that easy to get the "real" errors.
Is there a way to set the log mode to "info/warning/error" ?
I only found the "-d" switch for activating debug.
Thx in advance
/Frank

I noticed that the requests are coming from the source ip of the haproxy (which in my case is 127.0.0.1) and not from the original Source IP Address. Is there a way to pass this argument to the spoa agent and log it in debug log?

The problem is that some rules can´t be applied - thinking of geoip blocking or reputation blocking.

I already tried to add ip=src to the spoe-message configuration without success.

thanks in advance!

Hi.

I've implemented your code and I seem to have everything in order. When I introduce it in front of my Exchange 2013 server the traffic do get blocked with the following error:

1586248130.204504 [00] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "914"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "application/vnd.ms-sync.wbxml"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "8b9ea79884c8"] [uri "http://<server>/Microsoft-Server-ActiveSync"] [unique_id ""]

I then moved on to changing my main config files (crs-setup.conf and owasp-modsecurity-crs.conf - some confusion as to which file to use) as follows:

• uncommented rule 900220 and added application/vnd.ms-sync.wbxml:

SecAction \ "id:900220,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_request_content_type=application/vnd.ms-sync.wbxml|application/x-www-form-urlencoded|
(setvar line capped for readability)

This does not change the behaviour and the same error is still logged and clients getting 403.

Any insights?

Hi,

I'm using this in front of a wordpress and a nextcloud. I would like to apply custom application exclusions depending on the subdomain. I see from crs-setup.conf:

# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1

And if I activate it like it is it the modsecurity fails. I assume that this is the rule that should go at apache vhost when using it with modsecurity.

Is there any way we could set subdomain acl in haproxy and setvar to one exclusion or another prior to sending it to modsecurity container using this spoa?

Or maybe the only option is to create one modsecurity container and one spoa config for each application?

Thanks.

Hello, I'm testing modsec and haproxy in the logs of my container, the client IP is always 127.0.0.1
example
1697202928.470503 [00] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
I can’t find how to make it work with a real IP client
Please tell me what needs to be done?