Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ModSecurity Audit Log Shows 403 or 200, but Nginx Returns 500 or 499 Under High Traffic #331

Open
rohithmulka opened this issue Sep 9, 2024 · 4 comments

Comments

@rohithmulka
Copy link

I'm encountering an issue where ModSecurity is blocking requests with a 403 status code, but Nginx is returning a 500 error to the client. Additionally, there are cases where ModSecurity returns a 200 status, but Nginx throws a 499 error instead. The ModSecurity audit log shows the expected 403 or 200 status codes, but this is not reflected in the Nginx responses.

This issue tends to occur when I send a large number of requests or simulate a DOS attack. I've included the relevant access, audit, and error logs below for further context.

Any guidance on why these discrepancies are happening under high traffic conditions and how to resolve them would be greatly appreciated.

access_log.json
audit_log.json
error_log.txt

@airween
Copy link
Member

airween commented Sep 11, 2024

Hi @rohithmulka,

thanks for reporting.

If I'm understand you correctly, you use libmodsecurity3 as a module for Nginx (through lingninx-mod-http-modsecurity), and Nginx (as a back end) sends a 5XX response to the client, but ModSecurity "transforms" it into 403, right?

That's a normal behavior if you use CRS. Please take a look the rule 950100. This rule catches the response with 5XX code, and the increments the tx.outbound_anomaly_score_pl2 by 5 (tx.error_anomaly_score). After that rule 959100 (which checks that score value) uses action deny. Default response code in case of deny is 403, so the behavior is normal.

@rohithmulka
Copy link
Author

that is ok the request is blocked but that 403 should be carried and NGINX should rely that to the client . What Im trying to say is whatever modsec is throwing that is not being displayed to the client.

@airween
Copy link
Member

airween commented Sep 13, 2024

I'm afraid based on your shared logs we can't help at the moment.

Could you show your relevant config?

@airween
Copy link
Member

airween commented Oct 17, 2024

@rohithmulka ping.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants