Join Log in
Score:0
peppy avatar Server

ModSecurity / CRS 3 - Tons of 920100 Warnings. Need Help Fixing/Explaining Rule Violation

gb flag
peppy 
Ubuntu 22.04
Nginx/1.23.2
ModSecurity-nginx v1.0.3
CRS 3.3.2

I found out today that my server froze up because ModSecurity created tons of log files 10GB each and the server ran out of disk space. The Audit Log is set to "Relevant Only" to show Warning and Errors. I found there are just too many Warnings showing up.

After investigating, I am seeing that 99% of the vast majority of the warnings are all the same, like below (it also happens on HTTP/2.0 requests as well):

---gvhKX0E1---A--
[03/Nov/2022:22:42:06 +0000] 166751532637.741158 66.249.66.134 52954 ***.***.***.*** 443
---gvhKX0E1---B--
GET /sale/yamaha-pm5d-fr-v12-operating-guide-by-download-mauritron-249215-307615/ HTTP/1.1
Host: www.**********.com
AMP-Cache-Transform: google;v="1..8"
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept-Encoding: gzip, deflate, br

---gvhKX0E1---F--
HTTP/1.1 200
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Set-Cookie: NEWSESSID=pa3vbhhrkr0h22akl81h6omfaj; path=/; HttpOnly
Pragma: no-cache
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Date: Thu, 03 Nov 2022 22:42:06 GMT
Server: nginx
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin
Permissions-Policy: geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()


---gvhKX0E1---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$' against variable `REQUEST_LINE' (Value: `GET /sale/yamaha-pm5d-fr-v12-operating-guide-by-download-mauritron-249215-307615/ HTTP/1.1' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "47"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /sale/yamaha-pm5d-fr-v12-operating-guide-by-download-mauritron-249215-307615/ HTTP/1.1"] [severity "4"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "***.***.***.**"] [uri "/sale/yamaha-pm5d-fr-v12-operating-guide-by-download-mauritron-249215-307615/"] [unique_id "166751532637.741158"] [ref "v0,90"]

I have a marketplace site where people sell things for sale, so each URL that shows up here is in the same format "/sale/something-for-sale-123456/".

Can someone explain what is actually wrong with the website and how to fix it? I know how to create an exception to "hide" the warnings, but I'd like to address the root cause.

Thanks

134
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.