Skip to content

Quotation Mark Formatting in ModSecurity Logs: Is the Use of Backticks and Single Quotes Correct? #3369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wRkA opened this issue May 2, 2025 · 1 comment
Open

Quotation Mark Formatting in ModSecurity Logs: Is the Use of Backticks and Single Quotes Correct? #3369

wRkA opened this issue May 2, 2025 · 1 comment
Labels
3.x Related to ModSecurity version 3.x

Comments

@wRkA
Copy link

wRkA commented May 2, 2025

Describe the bug

The ModSecurity log entries show operators and parameters enclosed in backticks (`), while variable names and data values are enclosed in single quotes ('). For example:

  • `PmFromFile'
  • `lfi-os-files.data'
  • `ARGS:bar'
  • `/bin/sh'

and so on...

Wouldn't it have to be?

  • 'PmFromFile'
  • 'lfi-os-files.data'
  • 'ARGS:bar'
  • '/bin/sh'

Logs and dumps

Output of: AuditLogs

---ABgEnRQg---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:foo' (Value: `/etc/passwd' ) [file "/usr/share/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "99"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:foo: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-      multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-LFI"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "192.168.1.35"] [uri "/"] [unique_id "174622258411.        325032"] [ref "o1,10v10,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?: (?:\|\||&&)[\s\x0b]*)? (7133 characters omitted)' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/usr/share/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "467"] [id "932250"] [rev ""] [msg "Remote      Command Execution: Direct Unix Command Execution"] [data "Matched Data: /bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag    "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-RCE"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "192.168.1.35"] [uri "/"] [unique_id "174622258411.325032"] [ref "o0,7v26,7"]
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:bar' (Value: `/bin/sh' ) [file "/usr/share/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "606"] [id  "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/sh found within ARGS:bar: /bin/sh"] [severity "2"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag    "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-RCE"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "192.168.1.35"] [uri "/"] [unique_id "174622258411.325032"] [ref "o1,10v10,11t:cmdLine,t:normalizePatho1,6v26,7t:cmdLine,t:normalizePath"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `20' ) [file "/usr/share/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.14.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "192.168.1.35"] [uri "/"] [unique_id "174622258411.325032"] [ref ""]

To Reproduce

  • None

Expected behavior

  • To know if this behavior is correct.

Server (please complete the following information):

  • ModSecurity v3.0.14 with nginx-connector v1.0.3
  • WebServer: nginx/1.28.0
  • OS: Ubuntu 24.04.2 LTS

Rule Set (please complete the following information):

  • OWASP CRS v4.14.0

Additional context

None, just see logs.
@wRkA wRkA added the 3.x Related to ModSecurity version 3.x label May 2, 2025
@airween
Copy link
Member

airween commented May 3, 2025

Hi @wRkA,

thanks for asking this.

I don't know if it's correct or not, but this is the expected behavior :).

If you check the code, the engine produces this message here or here, and the syntax (that you mentioned: the quote marks are ` and '.

I'm sure there is a reason why the author of that code has made this decision, but I think it wouldn't be a good idea to replace it now, because many user made their own logparser, and - perhaps - this change would brake them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@airween @wRkA