Description
Describe the bug
We are missing transaction logs for some of the blocked requests.
Logs and dumps
188#188: *3490527 [client my.ip] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: 20' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "192.168.66.83"] [uri "/courses"] [unique_id "174185963544.478079"] [ref ""]
Output of:
- DebugLogs (level 9)
- AuditLogs
- Error logs
- If there is a crash, the core dump file.
Notice: Be careful to not leak any confidential information.
To Reproduce
Steps to reproduce the behavior:
curl -v "http://domain.com/?q=<script>alert('XSS')</script>"
trigger XSS rules
https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Expected behavior
Transaction logs for all requests
Server (please complete the following information):
- ModSecurity version (and connector): [e.g. ModSecurity v3.0.12 with nginx-connector v1.0.3]
- WebServer: [nginx-1.25.5]
- OS (and distro): [e.g. Linux, kubernetes]
Additional context
Add any other context about the problem here.