ModSecurity 3.0 Memory Leak ?

[Menahem1]

Hello

I am currently experiencing a problem with Nginx/ModSecurity (with CRS rule in v3.0) about increasing memory in Nginx.

For now i can't be sure that the increasing memory (or memory leak) is on ModSecurity or other part of Nginx, how to be sure ?

My conf :
nginx version: nginx/1.11.9
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --add-module=../ModSecurity-nginx --with-debug --with-cc-opt='-O0 -g -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --with-pcre-jit --with-http_ssl_module --with-http_realip_module

Usage of Memory

[zimmerle]

Hi @MEN18,

Do you happens to have you summary for the ./configure ? I am interested to know if you are using LMDB or not. Also, what is the last commit in your tree?

[Menahem1]

Yes i am using LMDB

configure:5925: LMDB library found at: /usr/lib/x86_64-linux-gnu//liblmdb.so
configure:5930: LMDB headers found at: /usr/include
configure:5925: LMDB library found at: /usr/lib/x86_64-linux-gnu//liblmdb.so
configure:5930: LMDB headers found at: /usr/include
configure:5925: LMDB library found at: /usr/lib/x86_64-linux-gnu//liblmdb.so
configure:5930: LMDB headers found at: /usr/include
configure:6036: using LMDB v

The last commit i used => 3a41308

[zimmerle]

Do you mind to compile without LMDB ?

$ ./configure --without-lmdb

[Menahem1]

no sorry, i have juste use this command alone

./configure

[zimmerle]

Can you re-compile it using the --without-lmdb parameter?

[Menahem1]

I recompiled with the "--without-lmdb" parameter and the memory (on the whole) is still increasing (sometimes i see an increase of 20mb but then disappears)

[Menahem1]

The only time when my memory is going down it's with a segfault (who send a signal 11 on the worker)

Feb 7 14:29:42 ip-10-65-2-86 kernel: [87308.027588] nginx[445]: segfault at 7fc270936000 ip 00007ff7f1b76c3a sp 00007ffc878da808 error 4 in libc-2.19.so[7ff7f1af5000+1a1000]
Feb 8 13:06:05 ip-10-65-2-86 kernel: [168691.049453] nginx[4854]: segfault at 7fc270936000 ip 00007ff7f1b76c3a sp 00007ffc878da7e8 error 4 in libc-2.19.so[7ff7f1af5000+1a1000]
Feb 8 13:06:06 ip-10-65-2-86 kernel: [168691.653367] nginx[8883]: segfault at 7fc270936000 ip 00007ff7f1b76c3a sp 00007ffc878da7e8 error 4 in libc-2.19.so[7ff7f1af5000+1a1000]

[zimmerle]

Any change to capture the stack for this segfault?

[Menahem1]

It's in an other environment (prod without the debug) without the "--without-lmdb" parameter (but with same version of Nginx/ModSecurity/Rules)

[Menahem1]

An idea of ​​when an upcoming update will be available to correct it ?

[Menahem1]

In precision the machine contains 27 vhosts
Is there a way that modsecurity does not use a resource when this vhost is not active?

[zimmerle]

Hi @MEN18,

It will be great if you can give further details on the segfault.

Here you can find more details on how to get those core dumps:
https://www.nginx.com/resources/wiki/start/topics/tutorials/debugging/#core-dump

[Menahem1]

Hi @zimmerle

Here is the detail of segfault

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
No locals.
#1  0x00007f7ee6f64c28 in std::string::compare(char const*) const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#2  0x00007f7ee8f8a6cc in operator==<char, std::char_traits<char>, std::allocator<char> > (__rhs="/var/log/nginx/modsec_audit-test.log", __lhs=<optimized out>) at /usr/include/c++/4.9/bits/basic_string.h:2528
No locals.
#3  modsecurity::utils::SharedFiles::find_handler (this=this@entry=0x7f7ee920ece8 <modsecurity::utils::SharedFiles::getInstance()::instance>, fileName="/var/log/nginx/modsec_audit-test.log") at utils/shared_files.cc:42
        current = 0x7f7ee988f000
#4  0x00007f7ee8f8a710 in modsecurity::utils::SharedFiles::close (this=0x7f7ee920ece8 <modsecurity::utils::SharedFiles::getInstance()::instance>, fileName=...) at utils/shared_files.cc:181
        a = <optimized out>
#5  0x00007f7ee8f24119 in modsecurity::audit_log::writer::Serial::~Serial (this=0x5062cb0, __in_chrg=<optimized out>) at audit_log/writer/serial.cc:28
No locals.
#6  0x00007f7ee8f22148 in modsecurity::audit_log::AuditLog::~AuditLog (this=0x1232b30, __in_chrg=<optimized out>) at audit_log/audit_log.cc:69
No locals.
#7  0x00007f7ee8f26c16 in ~RulesProperties (this=0x12326f0, __in_chrg=<optimized out>) at ../headers/modsecurity/rules_properties.h:106
No locals.
#8  modsecurity::Rules::~Rules (this=0x12326f0, __in_chrg=<optimized out>) at rules.cc:80
No locals.
#9  0x00007f7ee8f26f0e in modsecurity::msc_rules_cleanup (rules=0x12326f0) at rules.cc:335
No locals.
#10 0x00000000004e3e27 in ngx_http_modsecurity_config_cleanup (data=0x1230ea8) at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:653
        old_pool = 0x0
        t = 0x1230ea8
#11 0x000000000041496e in ngx_destroy_pool (pool=0x1198870) at src/core/ngx_palloc.c:57
        p = 0x7ffe532ac250
        n = 0x11988d8
        l = 0x11989f0
        c = 0x1230f08
#12 0x000000000044e6ba in ngx_worker_process_exit (cycle=0x11988c0) at src/os/unix/ngx_process_cycle.c:999
        i = 1024
        c = 0x5545e80
#13 0x000000000044da0c in ngx_worker_process_cycle (cycle=0x11988c0, data=0x0) at src/os/unix/ngx_process_cycle.c:747
        worker = 0
#14 0x000000000044a18b in ngx_spawn_process (cycle=0x11988c0, proc=0x44d95c <ngx_worker_process_cycle>, data=0x0, name=0x4ea983 "worker process", respawn=-3) at src/os/unix/ngx_process.c:198
        on = 1
        pid = 0
        s = 0
#15 0x000000000044c81d in ngx_start_worker_processes (cycle=0x11988c0, n=3, type=-3) at src/os/unix/ngx_process_cycle.c:358
        i = 0
        ch = {command = 1, pid = 0, slot = 0, fd = 0}
#16 0x000000000044bdda in ngx_master_process_cycle (cycle=0x11988c0) at src/os/unix/ngx_process_cycle.c:130
        title = 0x4bbe554 "master process /usr/local/nginx/sbin/nginx -g pid /run/nginx.pid; daemon on; master_process on;"
        p = 0x4bbe5b3 ""
        size = 96
        i = 3
        n = 0
        sigio = 0
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
        live = 0
        delay = 0
        ls = 0x0
        ccf = 0x119a3f8
#17 0x0000000000410ce0 in main (argc=3, argv=0x7ffe532ac7c8) at src/core/nginx.c:367
        b = 0x7f7ee7fdfd28
        log = 0x71e980 <ngx_log>
---Type <return> to continue, or q <return> to quit---
        i = 140183062643528
        cycle = 0x11988c0
        init_cycle = {conf_ctx = 0x0, pool = 0x1198340, log = 0x71e980 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0, data = 0x0, writer = 0x0, wdata = 0x0, action = 0x0, next = 0x0},
          log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0, modules_n = 0, modules_used = 0, reusable_connections_queue = {prev = 0x0, next = 0x0}, listening = {elts = 0x0, nelts = 0,
            size = 0, nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, open_files = {last = 0x0, part = {elts = 0x0,
              nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0,
          read_events = 0x0, write_events = 0x0, old_cycle = 0x0, conf_file = {len = 32, data = 0x1198390 ""}, conf_param = {len = 49, data = 0x7ffe532acf57 "ng down"}, conf_prefix = {len = 22, data = 0x1198390 ""}, prefix = {len = 17,
            data = 0x4e6106 "/usr/local/nginx/"}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0, data = 0x0}}
        cd = 0x7ffe532ac4d0
        ccf = 0x119a3f8

[Menahem1]

I now encounter this error when i restart...

2017/02/11 17:37:32 [alert] 24612#0: worker process 27952 exited on signal 6
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc

[Menahem1]

And the different's segfault

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
No locals.
#1  0x00007f8d568b5c28 in std::string::compare(char const*) const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#2  0x00007f8d588db6cc in operator==<char, std::char_traits<char>, std::allocator<char> > (__rhs="/var/log/nginx/modsec_audit-test.log", __lhs=<optimized out>)
    at /usr/include/c++/4.9/bits/basic_string.h:2528
No locals.
#3  modsecurity::utils::SharedFiles::find_handler (this=this@entry=0x7f8d58b5fce8 <modsecurity::utils::SharedFiles::getInstance()::instance>,
    fileName="/var/log/nginx/modsec_audit-test.log") at utils/shared_files.cc:42
        current = 0x7f8d591e0000
#4  0x00007f8d588db710 in modsecurity::utils::SharedFiles::close (this=0x7f8d58b5fce8 <modsecurity::utils::SharedFiles::getInstance()::instance>, fileName=...)
    at utils/shared_files.cc:181
        a = <optimized out>
#5  0x00007f8d588755fd in modsecurity::audit_log::writer::Parallel::~Parallel (this=0x1278ab50, __in_chrg=<optimized out>) at audit_log/writer/parallel.cc:40
No locals.
#6  0x00007f8d588756a9 in modsecurity::audit_log::writer::Parallel::~Parallel (this=0x1278ab50, __in_chrg=<optimized out>) at audit_log/writer/parallel.cc:42
No locals.
#7  0x00007f8d58873148 in modsecurity::audit_log::AuditLog::~AuditLog (this=0x1223a00, __in_chrg=<optimized out>) at audit_log/audit_log.cc:69
No locals.
#8  0x00007f8d58877c16 in ~RulesProperties (this=0x12235c0, __in_chrg=<optimized out>) at ../headers/modsecurity/rules_properties.h:106
No locals.
#9  modsecurity::Rules::~Rules (this=0x12235c0, __in_chrg=<optimized out>) at rules.cc:80
No locals.
#10 0x00007f8d58877f0e in modsecurity::msc_rules_cleanup (rules=0x12235c0) at rules.cc:335
No locals.
#11 0x00000000004f0370 in ngx_http_modsecurity_config_cleanup (data=0x1222068) at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:653
        old_pool = 0x0
        t = 0x1222068
#12 0x000000000041505d in ngx_destroy_pool (pool=0xfeb970) at src/core/ngx_palloc.c:57
        p = 0x7ffeda9aa8d0
        n = 0xfeb9d8
        l = 0x1191d78
        c = 0x12220c8
#13 0x0000000000456e77 in ngx_worker_process_exit (cycle=0xfeb9c0) at src/os/unix/ngx_process_cycle.c:1001
        i = 2048
        c = 0x13a92e90
#14 0x00000000004561e8 in ngx_worker_process_cycle (cycle=0xfeb9c0, data=0x1) at src/os/unix/ngx_process_cycle.c:747
        worker = 1
#15 0x0000000000452946 in ngx_spawn_process (cycle=0xfeb9c0, proc=0x456138 <ngx_worker_process_cycle>, data=0x1, name=0x4f7153 "worker process", respawn=-3)
    at src/os/unix/ngx_process.c:198
        on = 1
        pid = 0
        s = 1
#16 0x0000000000454ff9 in ngx_start_worker_processes (cycle=0xfeb9c0, n=3, type=-3) at src/os/unix/ngx_process_cycle.c:358
        i = 1
        ch = {command = 1, pid = 28533, slot = 0, fd = 4}
#17 0x00000000004545b6 in ngx_master_process_cycle (cycle=0xfeb9c0) at src/os/unix/ngx_process_cycle.c:130
        title = 0x131116ec "master process /usr/local/nginx/sbin/nginx -g pid /run/nginx.pid; daemon on; master_process on;"
        p = 0x1311174b ""
        size = 96
        i = 3
        n = 0
        sigio = 0
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
        live = 0
        delay = 0
        ls = 0x0
        ccf = 0xfed540
#18 0x0000000000411350 in main (argc=3, argv=0x7ffeda9aae88) at src/core/nginx.c:368
        b = 0x7ffeda9aac50
        log = 0x72be00 <ngx_log>
        i = 17
        cycle = 0xfeb9c0
        init_cycle = {conf_ctx = 0x0, pool = 0xfeb440, log = 0x72be00 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0,
            data = 0x0, writer = 0x0, wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0,
          modules_n = 0, modules_used = 0, reusable_connections_queue = {prev = 0x0, next = 0x0}, reusable_connections_n = 0, listening = {elts = 0x0, nelts = 0, size = 0,
            nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0},
          config_dump_rbtree = {root = 0x0, sentinel = 0x0, insert = 0x0}, config_dump_sentinel = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000',
            data = 0 '\000'}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {
              elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, read_events = 0x0, write_events = 0x0,
          old_cycle = 0x0, conf_file = {len = 32, data = 0xfeb490 "\002"}, conf_param = {len = 49, data = 0x7ffeda9acf57 "ng down"}, conf_prefix = {len = 22,
            data = 0xfeb490 "\002"}, prefix = {len = 17, data = 0x4f264e "/usr/local/nginx/"}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0, data = 0x0}}
        cd = 0x7f8d591c0c1c <check_match+300>
        ccf = 0xfed540

#0  0x00007fe34038a067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
        resultvar = 0
        pid = 28621
        selftid = 28621
#1  0x00007fe34038b448 in __GI_abort () at abort.c:89
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7fff0bc3b9f0, sa_sigaction = 0x7fff0bc3b9f0}, sa_mask = {__val = {140733390764032, 7519496, 140614037331399, 1, 0, 1,
              140614011567400, 140613994294274, 7519496, 140613672503632, 140614037357285, 140614039385760, 140614012439552, 1, 140614039388240, 140613672503504}},
          sa_flags = 10, sa_restorer = 0x7fe341de3740}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007fe33f27fb3d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#3  0x00007fe33f27dbb6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#4  0x00007fe33f27dc01 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#5  0x00007fe33f27de19 in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#6  0x00007fe33f27e339 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#7  0x00007fe33f2dde99 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#8  0x00007fe33f2deb0b in std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#9  0x00007fe33f2debb0 in std::string::reserve(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#10 0x00007fe33f2dec88 in std::string::append(std::string const&) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#11 0x00007fe3412a566d in operator+<char, std::char_traits<char>, std::allocator<char> > (
    __rhs="\240\272\303\v\377\177\000\000\210I\234\001\000\000\000\000\210I\234\001\000\000\000\000 \246o@\343\177", '\000' <repeats 26 times>, "p\262r\001\000\000\000\000\240\206}\001\000\000\000\000\250\206}\001\000\000\000\000\250\206}\001\000\000\000\000g\000\000\000\000\000\000\000x\226R?\343\177\000\000\310\210:\002\000\000\000\000P\000\000\000(\343\r\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000H\273\303\v\377\177\000\000H\273\303\v\377\177\000\000X\273\303\v\377\177\000\000X\273\303\v\377\177\000\000"...,
    __lhs=<unknown type in /usr/local/modsecurity/lib/libmodsecurity.so.3, CU 0x228c6d, DIE 0x24bd97>) at /usr/include/c++/4.9/bits/basic_string.h:2451
No locals.
#12 modsecurity::Rule::executeOperatorAt (this=this@entry=0x24067c0, trasn=trasn@entry=0x17026b0,
    key="\240\272\303\v\377\177\000\000\210I\234\001\000\000\000\000\210I\234\001\000\000\000\000 \246o@\343\177", '\000' <repeats 26 times>, "p\262r\001\000\000\000\000\240\206}\001\000\000\000\000\250\206}\001\000\000\000\000\250\206}\001\000\000\000\000g\000\000\000\000\000\000\000x\226R?\343\177\000\000\310\210:\002\000\000\000\000P\000\000\000(\343\r\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000H\273\303\v\377\177\000\000H\273\303\v\377\177\000\000X\273\303\v\377\177\000\000X\273\303\v\377\177\000\000"..., value="1") at rule.cc:268
        ret = <optimized out>
#13 0x00007fe3412ab014 in modsecurity::Rule::evaluate (this=this@entry=0x24067c0, trasn=trasn@entry=0x17026b0) at rule.cc:597
        ret = <optimized out>
        valueTemp = 0x17d8840
        __for_range = <synthetic pointer>
        value = "1"
        key = "\240\272\303\v\377\177\000\000\210I\234\001\000\000\000\000\210I\234\001\000\000\000\000 \246o@\343\177", '\000' <repeats 26 times>, "p\262r\001\000\000\000\000\240\206}\001\000\000\000\000\250\206}\001\000\000\000\000\250\206}\001\000\000\000\000g\000\000\000\000\000\000\000x\226R?\343\177\000\000\310\210:\002\000\000\000\000P\000\000\000(\343\r\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000H\273\303\v\377\177\000\000H\273\303\v\377\177\000\000X\273\303\v\377\177\000\000X\273\303\v\377\177\000\000"...
        values = std::vector of length -3125460, capacity -3125460 = {0x17d8840, 0x0, 0x0, 0x51, 0x23, 0x23, 0x0, 0x5f4445484354414d, 0x3a58543a53524156, 0x6e615f726f727265,
          0x63735f796c616d6f, 0x602072650065726f, 0x676f0030, 0x31, 0x1, 0x1, 0x0, 0x7974697265000030, 0x0, 0x41, 0x16, 0x16, 0x0, 0x726f7272653a5854, 0x796c616d6f6e615f,
          0x610065726f63735f, 0x6e6f697463, 0x31, 0x17d87b0, 0x17d8cd8, 0x17d8a88, 0xc1d, 0x6f74003300524156, 0x31, 0x17d8640, 0x17d8bd8, 0x24191e8, 0x1111, 0x4520293334313130,
          0x31, 0x17d8810, 0x17d8d58, 0x17d8ca8, 0xeb0, 0x6320003000524156, 0x31, 0x17d8780, 0x17d8c28, 0x2419878, 0xe90, 0x7fe3406fa678 <main_arena+88>, 0x21, 0x19c5fc8,
          0x19c47c0, 0x1, 0x51, 0x29, 0x29, 0x0, 0x5f4445484354414d, 0x4d414e5f53524156, 0x72653a58543a5345, 0x6d6f6e615f726f72, 0x726f63735f796c61, 0x17d0065, 0x51, 0x25,
          0x25, 0x0, 0x5f4445484354414d, 0x3a58543a53524156, 0x5f676e696e726177, 0x5f796c616d6f6e61, 0x60200065726f6373, 0x676f0030, 0x31, 0x17d8340, 0x17d8758, 0x2418978,
          0x91b, 0x17d8920, 0x31, 0x1, 0x1, 0x0, 0x7974697265000030, 0x18d6100, 0x41, 0x18, 0x18, 0x0, 0x696e7261773a5854, 0x616d6f6e615f676e, 0x65726f63735f796c,
          0x29006e6f697400, 0x51, 0x2b, 0x2b, 0x0, 0x5f4445484354414d, 0x4d414e5f53524156, 0x61773a58543a5345, 0x6e615f676e696e72, 0x63735f796c616d6f, 0x65726f, 0x51, 0x24,
          0x24, 0x0, 0x5f4445484354414d, 0x3a58543a53524156, 0x615f656369746f6e, 0x735f796c616d6f6e, 0x6020720065726f63, 0x676f0030, 0x31, 0x17d8900, 0x17d8978, 0x2418f88,
          0x9e7, 0x0, 0x31, 0x1, 0x1, 0x0, 0x7974697265000030, 0x0, 0x41, 0x17, 0x17, 0x0, 0x6369746f6e3a5854, 0x6c616d6f6e615f65, 0x65726f63735f79, 0x6e6f697463, 0x31,
          0x17d7c10, 0x17d9028, 0x17d8dd8, 0xc8c, 0x6f74003200524156, 0x31, 0x17d87e0, 0x17d8f28, 0x2419eb8, 0x1123, 0x4520293235313130, 0x31, 0x17d8b70, 0x17d90a8, 0x17d8ff8,
          0x121c, 0x6320003000524156, 0x31, 0x17d8b10, 0x17d8f78, 0x241a518, 0xeff, 0x7fe3406fa678 <main_arena+88>, 0x21, 0x19c5fc8, 0x19c47b0, 0x20, 0x51, 0x2a, 0x2a, 0x0,
          0x5f4445484354414d, 0x4d414e5f53524156, 0x6f6e3a58543a5345, 0x6f6e615f65636974, 0x6f63735f796c616d, 0x6572, 0x51, 0x24, 0x24, 0x0, 0x5f4445484354414d,
          0x4d414e5f53524156, 0x6f643a58543a5345, 0x625f74757065725f, 0x602072006b636f6c, 0x676f0030, 0x31, 0x17d8a40, 0x17d8ab8, 0x2419618, 0x973, 0x18e5830, 0x31, 0x1, 0x1,
          0x0, 0x7974697265000030, 0x7fff0bc3ce00, 0x41, 0x1e, 0x1e, 0x0, 0x5f4445484354414d...}
        multiMatch = <optimized out>
        v = <optimized out>
        __for_range = <synthetic pointer>
        variables = <optimized out>
        recursiveGlobalRet = <optimized out>
        containsDisruptive = false
        ruleMessage = {m_match = "", m_ruleFile = "/usr/local/nginx/conf/conf.d/igs-eam1/activated_rules/REQUEST-910-IP-REPUTATION.conf", m_ruleLine = 80, m_ruleId = 910120,
          m_message = "", m_data = "", m_severity = 0, m_ver = "", m_rev = "", m_maturity = 0, m_accuracy = 0, m_tags = empty std::list, m_server_logs = empty std::list,
          m_noAuditLog = false, m_rule = 0x24067c0, m_saveMessage = false}
        eparam = "\"1\""
        globalRet = false
        finalVars = std::vector of length 1, capacity -3377456 = {0x19c47c0}
#14 0x00007fe3412a085b in modsecurity::Rules::evaluate (this=0x172b270, phase=phase@entry=3, transaction=transaction@entry=0x17026b0) at rules.cc:231
        rule = 0x24067c0
        i = 58
        rules = std::vector of length -3387336, capacity -3387336 = {0x1a29f60, 0x1a2a480, 0x1a2aca0, 0x1a2b1c0, 0x2422fd0, 0x2411f60, 0x2412570, 0x2412c30, 0x2413200,
          0x2413950, 0x24141a0, 0x24147b0, 0x2414c50, 0x2423510, 0x2423a50, 0x2423fb0, 0x2424590, 0x2424c10, 0x2425120, 0x2425870, 0x24290b0, 0x2429760, 0x2429fc0, 0x242a580,
          0x242aae0, 0x242b130, 0x242b810, 0x242bdb0, 0x242c390, 0x242c750, 0x240e210, 0x240e800, 0x240ed30, 0x240fe10, 0x2410340, 0x2411440, 0x242f390, 0x242f930, 0x2430530,
          0x2431490, 0x2432510, 0x2433500, 0x2434a10, 0x2434e80, 0x2435f00, 0x2437310, 0x2438900, 0x243af00, 0x243c9f0, 0x243d620, 0x243f180, 0x243f5d0, 0x2445200, 0x2445580,
          0x2445d40, 0x240ba20, 0x240c640, 0x2405230, 0x24067c0, 0x2406d90, 0x2408130, 0x2446110, 0x2447630, 0x2448cf0, 0x244a3b0, 0x244bac0, 0x244be90, 0x244c5f0, 0x244d3d0,
          0x244de30, 0x244e890, 0x244ebd0, 0x2401630, 0x24029d0, 0x24034a0, 0x2403f20, 0x24049a0, 0x2404d50, 0x23febb0, 0x2452240, 0x2453db0, 0x2454810, 0x2454ce0, 0x24554f0,
          0x23f8ea0, 0x23fa830, 0x24c2d00, 0x24cd120, 0x24cdc20, 0x24ded70, 0x24f6200, 0x24f6ce0, 0x250d9c0, 0x250dd00, 0x23f4d60, 0x23f6010, 0x23f7320, 0x23f84b0, 0x250f220,
          0x2511330, 0x2512970, 0x2513fc0, 0x2515880, 0x2516510, 0x25179c0, 0x2519130, 0x251e9a0, 0x251fc90, 0x2520fa0, 0x25220e0, 0x25224d0, 0x25234a0, 0x2527160, 0x2528cb0,
          0x2529890, 0x252b470, 0x252c0b0, 0x252d550, 0x252e990, 0x252fe10, 0x25311f0, 0x25328c0, 0x25341c0, 0x2536100, 0x2537360, 0x2538eb0, 0x253a110, 0x253aff0, 0x253c4b0,
          0x253e2d0, 0x253f290, 0x2542080, 0x2543390, 0x2543d80, 0x25451f0, 0x2545b60, 0x2546950, 0x2548520, 0x2549990, 0x254b070, 0x254b4e0, 0x23f0820, 0x23f1e20, 0x23f3570,
          0x25503b0, 0x2551ba0, 0x2553100, 0x25545e0, 0x2555d20, 0x25566b0, 0x2557cc0, 0x25586b0, 0x2559220, 0x255a140, 0x255b4b0, 0x255b7f0, 0x23ec620, 0x23ede90, 0x23efae0,
          0x255d240, 0x2790c50, 0x27917f0, 0x27a4db0, 0x27a5830, 0x27a5b70, 0x23e8370, 0x23e98c0, 0x23eadb0, 0x27a6500, 0x27a6fe0, 0x27a7fc0, 0x27a9220, 0x27a9ca0, 0x27a9fe0,
          0x23e3fe0, 0x23e4400, 0x27ab260, 0x27b21a0, 0x27b7b80, 0x27c4480, 0x282bd60, 0x282d8b0, 0x282f1a0, 0x2839550, 0x2845030, 0x28468b0, 0x2847300, 0x2847db0, 0x2848850,
          0x2848db0, 0x23dfb50, 0x23e2320, 0x28496a0, 0x284ab20, 0x28d26e0, 0x28dd290, 0x28deca0, 0x28ef1e0, 0x28f2600, 0x28f3ee0...}
#15 0x00007fe341294dc7 in modsecurity::Transaction::processRequestBody (this=0x17026b0) at transaction.cc:792
        fullRequest = "User-Agent: Zabbix\nHost: igs-eam1.industries.veolia.com\nAccept: */*\nContent-Length: 209\nContent-Type: application/x-www-form-urlencoded\n\n\nXMLC_BaseHREF=%252FEAMVIGSESTPROD01Bin%252FMOS_XML.dll%252F%25"...
        l = std::vector of length 0, capacity 15
#16 0x00000000004f06c5 in ngx_http_modsecurity_pre_access_handler (r=0x1700f60) at ../ModSecurity-nginx/src/ngx_http_modsecurity_pre_access.c:199
        ret = 0
        already_inspected = 0
        chain = 0x17d6a48
        ctx = 0x17d67d8
        cf = 0x17292d8
        old_pool = 0x0
#17 0x000000000046a38a in ngx_http_core_generic_phase (r=0x1700f60, ph=0x1380ce08) at src/http/ngx_http_core_module.c:874
        rc = -5
#18 0x000000000046a2da in ngx_http_core_run_phases (r=0x1700f60) at src/http/ngx_http_core_module.c:852
        rc = -2
        ph = 0x1380cd78
        cmcf = 0x16ec190
#19 0x000000000046a248 in ngx_http_handler (r=0x1700f60) at src/http/ngx_http_core_module.c:835
        cmcf = 0x14204fc0
#20 0x000000000047a681 in ngx_http_process_request (r=0x1700f60) at src/http/ngx_http_request.c:1914
        c = 0x14191148
#21 0x000000000047901c in ngx_http_process_request_headers (rev=0x14204fc0) at src/http/ngx_http_request.c:1346
        p = 0x1700fc8 "\320\017p\001"
        len = 24121104
        n = 352
        rc = 0
        rv = 24121104
        h = 0x1701bc8
        c = 0x14191148
        hh = 0x71e880 <ngx_http_headers_in+320>
        r = 0x1700f60
        cscf = 0x1715830
        cmcf = 0x16ec190
#22 0x00000000004783f9 in ngx_http_process_request_line (rev=0x14204fc0) at src/http/ngx_http_request.c:1026
        n = 411
        rc = 0
        rv = 24205512
        host = {len = 7520648, data = 0x16e9548 "H\021\031\024"}
        c = 0x14191148
        r = 0x1700f60
#23 0x0000000000476fce in ngx_http_wait_request_handler (rev=0x14204fc0) at src/http/ngx_http_request.c:503
        p = 0x0
        size = 1024
        n = 411
        b = 0x16e95e8
        c = 0x14191148
        hc = 0x16e9500
        cscf = 0x1715830
#24 0x0000000000458a71 in ngx_epoll_process_events (cycle=0x16e99c0, timer=59970, flags=1) at src/event/modules/ngx_epoll_module.c:902
        events = 1
        revents = 1
        instance = 1
        i = 0
        level = 140733390770720
        err = 0
        rev = 0x14204fc0
        wev = 0xea42
        queue = 0x14204fe8
        c = 0x14191148
#25 0x000000000044722a in ngx_process_events_and_timers (cycle=0x16e99c0) at src/event/ngx_event.c:242
        flags = 1
        timer = 59970
        delta = 1486842544163
#26 0x000000000045622d in ngx_worker_process_cycle (cycle=0x16e99c0, data=0x0) at src/os/unix/ngx_process_cycle.c:753
        worker = 0
#27 0x0000000000452946 in ngx_spawn_process (cycle=0x16e99c0, proc=0x456138 <ngx_worker_process_cycle>, data=0x0, name=0x4f7153 "worker process", respawn=0)
    at src/os/unix/ngx_process.c:198
        on = 1
        pid = 0
        s = 0
#28 0x0000000000455cc8 in ngx_reap_children (cycle=0x16e99c0) at src/os/unix/ngx_process_cycle.c:621
        i = 0
        n = 3
        live = 0
        ch = {command = 2, pid = 28613, slot = 0, fd = -1}
        ccf = 0xb00000013
#29 0x0000000000454844 in ngx_master_process_cycle (cycle=0x16e99c0) at src/os/unix/ngx_process_cycle.c:174
        title = 0x1380f6ec "master process /usr/local/nginx/sbin/nginx -g pid /run/nginx.pid; daemon on; master_process on;"
        p = 0x1380f74b ""
        size = 96
        i = 3
        n = 0
        sigio = 0
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
        live = 1
        delay = 0
        ls = 0x0
        ccf = 0x16eb540
#30 0x0000000000411350 in main (argc=3, argv=0x7fff0bc3d838) at src/core/nginx.c:368
        b = 0x7fff0bc3d600
        log = 0x72be00 <ngx_log>
        i = 17
        cycle = 0x16e99c0
        init_cycle = {conf_ctx = 0x0, pool = 0x16e9440, log = 0x72be00 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0,
            data = 0x0, writer = 0x0, wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0,
          modules_n = 0, modules_used = 0, reusable_connections_queue = {prev = 0x0, next = 0x0}, reusable_connections_n = 0, listening = {elts = 0x0, nelts = 0, size = 0,
            nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0},
          config_dump_rbtree = {root = 0x0, sentinel = 0x0, insert = 0x0}, config_dump_sentinel = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000',
            data = 0 '\000'}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {
              elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, read_events = 0x0, write_events = 0x0,
          old_cycle = 0x0, conf_file = {len = 32, data = 0x16e9490 "\002"}, conf_param = {len = 49, data = 0x7fff0bc3ef57 ""}, conf_prefix = {len = 22,
            data = 0x16e9490 "\002"}, prefix = {len = 17, data = 0x4f264e "/usr/local/nginx/"}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0, data = 0x0}}
        cd = 0x7fe341be8c1c <check_match+300>
        ccf = 0x16eb540
`

`
#0  0x00007fe34038a067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
        resultvar = 0
        pid = 28613
        selftid = 28613
#1  0x00007fe34038b448 in __GI_abort () at abort.c:89
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7fff0bc3b9f0, sa_sigaction = 0x7fff0bc3b9f0}, sa_mask = {__val = {140733390764032, 7519496, 140614037331399, 1, 0, 1,
              140614011567400, 140613994294274, 7519496, 140613672503632, 140614037357285, 140614039385760, 140614012439552, 1, 140614039388240, 140613672503504}},
          sa_flags = 10, sa_restorer = 0x7fe341de3740}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007fe33f27fb3d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#3  0x00007fe33f27dbb6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#4  0x00007fe33f27dc01 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#5  0x00007fe33f27de19 in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#6  0x00007fe33f27e339 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#7  0x00007fe33f2dde99 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#8  0x00007fe33f2deb0b in std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#9  0x00007fe33f2debb0 in std::string::reserve(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#10 0x00007fe33f2dec88 in std::string::append(std::string const&) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#11 0x00007fe3412a566d in operator+<char, std::char_traits<char>, std::allocator<char> > (
    __rhs="\240\272\303\v\377\177\000\000\270X\220\001\000\000\000\000\270X\220\001\000\000\000\000 \246o@\343\177", '\000' <repeats 26 times>, "\320\034\203\001\000\000\000\000\340L\220\001\000\000\000\000\350L\220\001\000\000\000\000\350L\220\001\000\000\000\000g\000\000\000\000\000\000\000x\226R?\343\177\000\000\330\030Z\f\000\000\000\000P\000\000\000(\343\r\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000H\273\303\v\377\177\000\000H\273\303\v\377\177\000\000X\273\303\v\377\177\000\000X\273\303\v\377\177\000\000"...,
    __lhs=<unknown type in /usr/local/modsecurity/lib/libmodsecurity.so.3, CU 0x228c6d, DIE 0x24bd97>) at /usr/include/c++/4.9/bits/basic_string.h:2451
No locals.
#12 modsecurity::Rule::executeOperatorAt (this=this@entry=0xc5fe460, trasn=trasn@entry=0x1702330,
    key="\240\272\303\v\377\177\000\000\270X\220\001\000\000\000\000\270X\220\001\000\000\000\000 \246o@\343\177", '\000' <repeats 26 times>, "\320\034\203\001\000\000\000\000\340L\220\001\000\000\000\000\350L\220\001\000\000\000\000\350L\220\001\000\000\000\000g\000\000\000\000\000\000\000x\226R?\343\177\000\000\330\030Z\f\000\000\000\000P\000\000\000(\343\r\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000H\273\303\v\377\177\000\000H\273\303\v\377\177\000\000X\273\303\v\377\177\000\000X\273\303\v\377\177\000\000"..., value="1") at rule.cc:268
        ret = <optimized out>
#13 0x00007fe3412ab014 in modsecurity::Rule::evaluate (this=this@entry=0xc5fe460, trasn=trasn@entry=0x1702330) at rule.cc:597
        ret = <optimized out>
        valueTemp = 0x1905380
        __for_range = <synthetic pointer>
        value = "1"
        key = "\240\272\303\v\377\177\000\000\270X\220\001\000\000\000\000\270X\220\001\000\000\000\000 \246o@\343\177", '\000' <repeats 26 times>, "\320\034\203\001\000\000\000\000\340L\220\001\000\000\000\000\350L\220\001\000\000\000\000\350L\220\001\000\000\000\000g\000\000\000\000\000\000\000x\226R?\343\177\000\000\330\030Z\f\000\000\000\000P\000\000\000(\343\r\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000x\226R?\343\177\000\000x\226R?\343\177\000\000\000\000\000\000\000\000\000\000H\273\303\v\377\177\000\000H\273\303\v\377\177\000\000X\273\303\v\377\177\000\000X\273\303\v\377\177\000\000"...
        values = std::vector of length -3279260, capacity -3279260 = {0x1905380, 0x0, 0x0, 0x51, 0x2a, 0x2a, 0x0, 0x5f4445484354414d, 0x4d414e5f53524156, 0x6f6e3a58543a5345,
          0x6f6e615f65636974, 0x6f63735f796c616d, 0x6572, 0x51, 0x24, 0x24, 0x0, 0x5f4445484354414d, 0x4d414e5f53524156, 0x6f643a58543a5345, 0x625f74757065725f,
          0x602072006b636f6c, 0x676f0030, 0x31, 0x1904b80, 0x1904bf8, 0xc6112b8, 0x973, 0x9, 0x31, 0x1, 0x1, 0x0, 0x7974697265000030, 0x0, 0x41, 0x1e, 0x1e, 0x0,
          0x5f4445484354414d, 0x3a58543a53524156, 0x74757065725f6f64, 0x6b636f6c625f, 0x41, 0x11, 0x11, 0x0, 0x65725f6f643a5854, 0x636f6c625f747570, 0x612027730058006b,
          0x6e6f697463, 0x51, 0x24, 0x24, 0x0, 0x5f4445484354414d, 0x3a58543a53524156, 0x6c625f7475706572, 0x617275645f6b636f, 0x602072006e6f6974, 0x676f0030, 0x31, 0x1904da0,
          0x1904e58, 0xc611898, 0x6f2, 0x0, 0x31, 0x1, 0x1, 0x0, 0x7974697265000030, 0x0, 0x41, 0x17, 0x17, 0x0, 0x74757065723a5854, 0x645f6b636f6c625f, 0x6e6f6974617275,
          0x6e6f697463, 0x31, 0x1903fd0, 0x1904fb8, 0x1905268, 0xf30, 0x6f74003200524156, 0x51, 0x25, 0x25, 0x6e69616700000000, 0x5f4445484354414d, 0x3a58543a53524156,
          0x5f6465776f6c6c61, 0x7265765f70747468, 0x602000736e6f6973, 0x22200000676f0030, 0x31, 0x1904c80, 0x19053b8, 0xc6128f8, 0x148f, 0x415628d913cec5aa, 0x31, 0x1905220,
          0x1905298, 0xc612f18, 0xcf1, 0x30, 0x51, 0x2a, 0x2a, 0x0, 0x5f4445484354414d, 0x4d414e5f53524156, 0x65723a58543a5345, 0x636f6c625f747570, 0x6974617275645f6b,
          0xf0c7823dbc006e6f, 0x51, 0x25, 0x25, 0x0, 0x5f4445484354414d, 0x4d414e5f53524156, 0x6c613a58543a5345, 0x656d5f6465776f6c, 0x60200073646f6874, 0x676f0030, 0x31,
          0x1904ed0, 0x1904f48, 0xc611fb8, 0x985, 0x415628d913cec5aa, 0x31, 0x1, 0x1, 0x0, 0x7974697265000030, 0x0, 0x41, 0x1f, 0x1f, 0x0, 0x5f4445484354414d,
          0x3a58543a53524156, 0x5f6465776f6c6c61, 0x73646f6874656d, 0x41, 0x12, 0x12, 0x0, 0x776f6c6c613a5854, 0x6f6874656d5f6465, 0x6120277300007364, 0x6e6f697463, 0x51, 0x2c,
          0x2c, 0x0, 0x5f4445484354414d, 0x3a58543a53524156, 0x5f6465776f6c6c61, 0x5f74736575716572, 0x5f746e65746e6f63, 0x65707974, 0x31, 0x19050f0, 0x19051a8, 0xc612228,
          0x761, 0x0, 0x31, 0x1, 0x1, 0x0, 0x7974697265000030, 0x0, 0x41, 0x1f, 0x1f, 0x0, 0x776f6c6c613a5854, 0x65757165725f6465, 0x65746e6f635f7473, 0x657079745f746e, 0x31,
          0x1904ff0, 0x19055b8, 0x1905418, 0xf39, 0x6f74003300524156, 0x31, 0x19040e0, 0x1905568, 0xc6130e8, 0x11a3, 0x4520293336313130, 0x31...}
        multiMatch = <optimized out>
        v = <optimized out>
        __for_range = <synthetic pointer>
        variables = <optimized out>
        recursiveGlobalRet = <optimized out>
        containsDisruptive = false
        ruleMessage = {m_match = "", m_ruleFile = "/usr/local/nginx/conf/conf.d/xxx/activated_rules/REQUEST-910-IP-REPUTATION.conf", m_ruleLine = 80,
          m_ruleId = 910120, m_message = "", m_data = "", m_severity = 0, m_ver = "", m_rev = "", m_maturity = 0, m_accuracy = 0, m_tags = empty std::list,
          m_server_logs = empty std::list, m_noAuditLog = false, m_rule = 0xc5fe460, m_saveMessage = false}
        eparam = "\"1\""
        globalRet = false
        finalVars = std::vector of length 1, capacity -3279638 = {0x1905920}
#14 0x00007fe3412a085b in modsecurity::Rules::evaluate (this=0x1831cd0, phase=phase@entry=3, transaction=transaction@entry=0x1702330) at rules.cc:231
        rule = 0xc5fe460
        i = 58
        rules = std::vector of length -3377354, capacity -3377354 = {0xa90f440, 0xa90f960, 0xb2948a0, 0xb294dc0, 0xc61ac30, 0xc609c00, 0xc60a210, 0xc60a8d0, 0xc60aea0,
          0xc60b5f0, 0xc60be40, 0xc60c450, 0xc60c8f0, 0xc61f180, 0xc61f6c0, 0xc61fc20, 0xc620200, 0xc620880, 0xc620d90, 0xc6214e0, 0xc624d20, 0xc6253d0, 0xc625c30, 0xc6261f0,
          0xc626750, 0xc626da0, 0xc627480, 0xc627a20, 0xc628000, 0xc6283c0, 0xc605eb0, 0xc6064a0, 0xc6069d0, 0xc607ab0, 0xc607fe0, 0xc6090e0, 0xc62b000, 0xc62b5a0, 0xc62c1a0,
          0xc62d100, 0xc62e180, 0xc62f170, 0xc630680, 0xc630af0, 0xc631b70, 0xc632f80, 0xc634570, 0xc636b70, 0xc638660, 0xc639160, 0xc63ade0, 0xc63b230, 0xc63ce50, 0xc63d1d0,
          0xc63d990, 0xc6036c0, 0xc6042e0, 0xc5fced0, 0xc5fe460, 0xc5fea30, 0xc5ffdd0, 0xc63dd60, 0xc63f280, 0xc640940, 0xc642000, 0xc643710, 0xc643ae0, 0xc644240, 0xc645020,
          0xc645a80, 0xc6464e0, 0xc646820, 0xc5f92d0, 0xc5fa670, 0xc5fb140, 0xc5fbbc0, 0xc5fc640, 0xc5fc9f0, 0xc5f6850, 0xc649db0, 0xc64b9d0, 0xc64c430, 0xc64c900, 0xc64d110,
          0xc5f0b40, 0xc5f2550, 0xc6ba9c0, 0xc6c4d90, 0xc6c5890, 0xc6d6a30, 0xc6eded0, 0xc6ee9b0, 0xc7056a0, 0xc7059e0, 0xc5eca00, 0xc5edcb0, 0xc5eefc0, 0xc5f0150, 0xc70af10,
          0xc70d020, 0xc70e660, 0xc70fcb0, 0xc711570, 0xc712200, 0xc7136b0, 0xc714e20, 0xc716680, 0xc717970, 0xc718c80, 0xc719dc0, 0xc71a1b0, 0xc71b1e0, 0xc71ee40, 0xc720990,
          0xc721570, 0xc723150, 0xc723d90, 0xc725230, 0xc726670, 0xc727af0, 0xc728ed0, 0xc72a5a0, 0xc72bdd0, 0xc731de0, 0xc733040, 0xc734b90, 0xc735df0, 0xc736cd0, 0xc738190,
          0xc739fb0, 0xc73af70, 0xc73dd60, 0xc73f050, 0xc73fa50, 0xc740ec0, 0xc741830, 0xc742620, 0xc7441f0, 0xc745660, 0xc746d40, 0xc7471b0, 0xc5e84c0, 0xc5e9ac0, 0xc5eb210,
          0xc748070, 0xc749860, 0xc74adc0, 0xc74c2a0, 0xc74d9d0, 0xc74e320, 0xc74f9a0, 0xc750340, 0xc754f30, 0xc755e50, 0xc7571c0, 0xc757500, 0xc5e42c0, 0xc5e5b30, 0xc5e7780,
          0xc758f60, 0xc98c950, 0xc98d4f0, 0xc9a0ab0, 0xc9a1530, 0xc9a1870, 0xc5dffc0, 0xc5e1550, 0xc5e2a40, 0xc9a2210, 0xc9a2d20, 0xc9a3cc0, 0xc9a4f20, 0xc9a59a0, 0xc9a5ce0,
          0xc5dbcd0, 0xc5dc0f0, 0xc9a6f60, 0xc9adea0, 0xc9b3880, 0xc9c5680, 0xca27a20, 0xca29570, 0xca2ae60, 0xca35210, 0xca40d10, 0xca42590, 0xca42fe0, 0xca43a90, 0xca44530,
          0xca44a90, 0xc5d7900, 0xc5da0d0, 0xca45380, 0xca46810, 0xcace3d0, 0xcad4f90, 0xcad6a40, 0xcae6f00, 0xcaea330, 0xcaebc10...}
#15 0x00007fe341294dc7 in modsecurity::Transaction::processRequestBody (this=0x1702330) at transaction.cc:792
        fullRequest = "User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15)\nConnection: close\nHost: xxx\nAuthorization: Basic VEVTVC5SVU4uUkVRVUVTVE9SOlNmc2g1Ni4xMUBibXM=\n\n\n"
        l = std::vector of length 0, capacity 15
#16 0x00000000004f06c5 in ngx_http_modsecurity_pre_access_handler (r=0x1701370) at ../ModSecurity-nginx/src/ngx_http_modsecurity_pre_access.c:199
        ret = 0
        already_inspected = 0
        chain = 0x0
        ctx = 0x17d5da8
        cf = 0x182f420
        old_pool = 0x0
#17 0x000000000046a38a in ngx_http_core_generic_phase (r=0x1701370, ph=0x1380ce08) at src/http/ngx_http_core_module.c:874
        rc = -5
#18 0x000000000046a2da in ngx_http_core_run_phases (r=0x1701370) at src/http/ngx_http_core_module.c:852
        rc = -2
        ph = 0x1380cd78
        cmcf = 0x16ec190
#19 0x000000000046a248 in ngx_http_handler (r=0x1701370) at src/http/ngx_http_core_module.c:835
        cmcf = 0x14204fc0
#20 0x000000000047a681 in ngx_http_process_request (r=0x1701370) at src/http/ngx_http_request.c:1914
        c = 0x14191148
#21 0x000000000047901c in ngx_http_process_request_headers (rev=0x14204fc0) at src/http/ngx_http_request.c:1346
        p = 0x17013d8 "\340\023p\001"
        len = 24122144
        n = 189
        rc = 0
        rv = 24122144
        h = 0x1701fa8
        c = 0x14191148
        hh = 0x71e980 <ngx_http_headers_in+576>
        r = 0x1701370
        cscf = 0x1823648
        cmcf = 0x16ec190
#22 0x00000000004783f9 in ngx_http_process_request_line (rev=0x14204fc0) at src/http/ngx_http_request.c:1026
        n = 221
        rc = 0
        rv = 24179512
        host = {len = 7520624, data = 0x16e9548 "H\021\031\024"}
        c = 0x14191148
        r = 0x1701370
#23 0x0000000000476fce in ngx_http_wait_request_handler (rev=0x14204fc0) at src/http/ngx_http_request.c:503
        p = 0x0
        size = 1024
        n = 221
        b = 0x16e95b8
        c = 0x14191148
        hc = 0x16e9500
        cscf = 0x170be18
#24 0x0000000000458a71 in ngx_epoll_process_events (cycle=0x16e99c0, timer=59982, flags=1) at src/event/modules/ngx_epoll_module.c:902
        events = 1
        revents = 1
        instance = 0
        i = 0
        level = 140733390770720
        err = 0
        rev = 0x14204fc0
        wev = 0xea4e
        queue = 0x14204fe8
        c = 0x14191148
#25 0x000000000044722a in ngx_process_events_and_timers (cycle=0x16e99c0) at src/event/ngx_event.c:242
        flags = 1
        timer = 59982
        delta = 1486842495467
#26 0x000000000045622d in ngx_worker_process_cycle (cycle=0x16e99c0, data=0x0) at src/os/unix/ngx_process_cycle.c:753
        worker = 0
#27 0x0000000000452946 in ngx_spawn_process (cycle=0x16e99c0, proc=0x456138 <ngx_worker_process_cycle>, data=0x0, name=0x4f7153 "worker process", respawn=0)
    at src/os/unix/ngx_process.c:198
        on = 1
        pid = 0
        s = 0
#28 0x0000000000455cc8 in ngx_reap_children (cycle=0x16e99c0) at src/os/unix/ngx_process_cycle.c:621
        i = 0
        n = 3
        live = 0
        ch = {command = 2, pid = 28603, slot = 0, fd = -1}
        ccf = 0xb00000013
#29 0x0000000000454844 in ngx_master_process_cycle (cycle=0x16e99c0) at src/os/unix/ngx_process_cycle.c:174
        title = 0x1380f6ec "master process /usr/local/nginx/sbin/nginx -g pid /run/nginx.pid; daemon on; master_process on;"
        p = 0x1380f74b ""
        size = 96
        i = 3
        n = 0
        sigio = 0
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
        live = 1
        delay = 0
        ls = 0x0
        ccf = 0x16eb540
#30 0x0000000000411350 in main (argc=3, argv=0x7fff0bc3d838) at src/core/nginx.c:368
        b = 0x7fff0bc3d600
        log = 0x72be00 <ngx_log>
        i = 17
        cycle = 0x16e99c0
        init_cycle = {conf_ctx = 0x0, pool = 0x16e9440, log = 0x72be00 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0,
            data = 0x0, writer = 0x0, wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0,
          modules_n = 0, modules_used = 0, reusable_connections_queue = {prev = 0x0, next = 0x0}, reusable_connections_n = 0, listening = {elts = 0x0, nelts = 0, size = 0,
            nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0},
          config_dump_rbtree = {root = 0x0, sentinel = 0x0, insert = 0x0}, config_dump_sentinel = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000',
            data = 0 '\000'}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {
              elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, read_events = 0x0, write_events = 0x0,
          old_cycle = 0x0, conf_file = {len = 32, data = 0x16e9490 "\002"}, conf_param = {len = 49, data = 0x7fff0bc3ef57 ""}, conf_prefix = {len = 22,
            data = 0x16e9490 "\002"}, prefix = {len = 17, data = 0x4f264e "/usr/local/nginx/"}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0, data = 0x0}}
        cd = 0x7fe341be8c1c <check_match+300>
        ccf = 0x16eb540

[mimugmail]

This is the same issue as with: owasp-modsecurity/ModSecurity-nginx#29

Currently the nginx Version is not usable :(

[Menahem1]

Better on Apache ?

[masterzen]

I've built a small test environment of nginx (1.11.10 + modsecurity-nginx + libmodsecurity + owasp-modsecurity-crs 3.0) all from master as of today, and I also experience the memory leak.
I find it also very slow (around 200req/s when enabled on a simple static file, no rules triggering), but I have no baseline to compare with (I will check with apache).

[defanator]

Hi @zimmerle, I was going to check memory leaks reported here, and tried to build latest libmodsecurity from v3/dev/parser, but it couldn't load CRS v3.0.0 ruleset with the following message:

nginx: [emerg] "proxy_pass" directive Rules error. File: /etc/nginx/modsec/owasp-v3/rules/REQUEST-921-PROTOCOL-ATTACK.conf. Line: 35. Column: 66. syntax error, unexpected Operator Rx  in /etc/nginx/nginx.conf:80
nginx: configuration file /etc/nginx/nginx.conf test failed

Then I cherry-picked 55d28af to v3/master and immediately got a segfault in modsecurity::utils::SharedFiles::write -> fwrite(), backtrace is below:

(gdb) bt
#0  0x00007f140200693e in fwrite () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f1401b0d5a3 in modsecurity::utils::SharedFiles::write (this=this@entry=0x7f1401d90c50 <modsecurity::utils::SharedFiles::getInstance()::instance>, fileName="/var/log/modsec_audit.log", 
msg="---ocBa4g4l---A--\n[20/Feb/2017:09:04:50 +0000] 148758149039.270020 127.0.0.1 50016 127.0.0.1 80\n---ocBa4g4l---B--\nGET /vb/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs"..., error=error@entry=0x7fff0e3fc400) at utils/shared_files.cc:182
#2  0x00007f1401aacf4a in modsecurity::audit_log::writer::Serial::write (this=0x55d27418dd70, transaction=0x55d2738126e0, parts=8062, error=0x7fff0e3fc400) at audit_log/writer/serial.cc:56
#3  0x00007f1401aac0b0 in modsecurity::audit_log::AuditLog::saveIfRelevant (this=<optimized out>, transaction=transaction@entry=0x55d2738126e0, parts=parts@entry=8062) at audit_log/audit_log.cc:296
#4  0x00007f1401aa4474 in modsecurity::Transaction::processLogging (this=0x55d2738126e0) at transaction.cc:1265
#5  0x00007f1401aa4625 in modsecurity::msc_process_logging (transaction=<optimized out>) at transaction.cc:2086
#6  0x00007f1401d943ca in ngx_http_modsecurity_log_handler (r=<optimized out>) at ../ModSecurity-nginx//src/ngx_http_modsecurity_log.c:70
#7  0x000055d2724d8690 in ?? ()
#8  0x000055d2724da20c in ngx_http_free_request ()
#9  0x000055d2724dadb1 in ?? ()
#10 0x000055d2724d4f6d in ngx_http_core_generic_phase ()
#11 0x000055d2724d0515 in ngx_http_core_run_phases ()
#12 0x000055d2724dc955 in ngx_http_process_request ()
#13 0x000055d2724dd34c in ?? ()
#14 0x000055d2724c2961 in ?? ()
#15 0x000055d2724b7aa7 in ngx_process_events_and_timers ()
#16 0x000055d2724c007d in ?? ()
#17 0x000055d2724be9ff in ngx_spawn_process ()
#18 0x000055d2724c0320 in ?? ()
#19 0x000055d2724c113c in ngx_master_process_cycle ()
#20 0x000055d2724961f0 in main ()

SecAuditLog* directives:

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABCIJDEFHKZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

I can provide any additional information if it helps.

Also, which branch should be currently used for tests - v3/master or v3/dev/parser? Appreciate any insights on those. Thanks!

[Menahem1]

Hi @masterzen,

The only optimization that i found about the slowness, is to deactivate all .jpg|.gif|.png with modsecurity, and also same problem with nginx 1.11.10 about memory leak.

For now, with Apache (2.4.10), ModSecurity 2.9 & CRS Rule in 3.0 i don't have the memory leak problem but ModSecurity don't trigger the same number of rule that in Nginx (less rules are found on Apache).

[masterzen]

Hi @MEN18,

My test on Apache 2.4.10 with the Modsecurity-apache connector and same version of libmodsecurity (v3/master) & CRS Rules 3.0 as I used with, is not very conclusive. I couldn't get it to work getting only segfaults.

So I reverted back to the current Modsecurity version (version 2) with apache 2.4.10 :

• with Modsecurity+CRS enabled: 1350req/s
• with Modsecurity+CRS disabled: 5100req/s

That's around 3.7 slowdown, which I can find acceptable.

With nginx and the modsecurity-nginx connector:

• with Modsecurity+CRS enabled: 134 req/s
• with Modsecurity+CRS disabled: 20000 req/s

So with nginx and modsecurity nginx enabled, I get a 10x slowdown between nginx and apache. That's way too much slowdown for me.

[Menahem1]

Thanks for your feedback @masterzen

With what are you testing your number of request per second (ab ?) and on which type of machine ?

[masterzen]

@MEN18 yes with:

ab -n 10000 -c 20 -k http://127.0.0.1:8080/

on my development machine. Note that I don't care about the absolute performance by itself, just the relative performance between with/without modsecurity and between nginx and apache version of modsecurity.

[zimmerle]

Hi @MEN18,

The segfault should be gone in the branch v3/dev/parser - https://github.com/SpiderLabs/ModSecurity/tree/v3/dev/parser

Thank you for the report and detailed information.

[zimmerle]

Hi @masterzen,

Thank you for the performance tests. I will look into this memory leak problem, I am sure that we are going to get very different results without the memory leak.

[zimmerle]

Hi @defanator,

Regarding the OWASP rules, normally we use the tagged version for test: v3.0.0.

But thanks for the report. I already fixed. You should be able to load today's `trunk' without a problem.

[mimugmail]

Sorry for writing in a closed issue, have recompiled with the parser branch and here a my results with ab:

root@nginx:~# ab -n 10000 -c 20 -k http://127.0.0.1:80/
This is ApacheBench, Version 2.3 <$Revision: 1604373 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 127.0.0.1 (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests

Server Software: nginx/1.11.9
Server Hostname: 127.0.0.1
Server Port: 80

Document Path: /
Document Length: 612 bytes

Concurrency Level: 20
Time taken for tests: 73.444 seconds
Complete requests: 10000
Failed requests: 0
Keep-Alive requests: 9909
Total transferred: 8499545 bytes
HTML transferred: 6120000 bytes
Requests per second: 136.16 [#/sec] (mean)
Time per request: 146.889 [ms] (mean)
Time per request: 7.344 [ms] (mean, across all concurrent requests)
Transfer rate: 113.02 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 14 147 31.7 141 1308
Waiting: 14 147 31.7 141 1308
Total: 14 147 31.7 141 1308

Percentage of the requests served within a certain time (ms)
50% 141
66% 147
75% 151
80% 154
90% 166
95% 188
98% 207
99% 232
100% 1308 (longest request)

When I disable modsec I got 50000/s (just static page on localhost). Switched back to modsec and again only 136/s.

[zimmerle]

Hi @mimugmail,

Do you want to create a issue on the ModSecurit-nginx project to keep track of this performance measurements? That is something that will be good to have.

[jurgenweber]

Hi, I seem to be getting this error........

Please let me know if I should raise this as an issue.

sending a http://www.example.com/?select%20*%20from%20information_schema.COLUMNS

terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc

nginx -V
nginx version: nginx/1.11.13
built by gcc 6.2.1 20160822 (Alpine 6.2.1)
built with OpenSSL 1.0.2k  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --add-module=/usr/src/ModSecurity-nginx

Basically using:
https://hub.docker.com/r/elisiano/nginx-modsecurity/~/dockerfile/
tldr; using todays (20/4/2017) v3/master.

https://hub.docker.com/r/elisiano/owasp-modsecurity-crs/~/dockerfile/

(but I update the alpine and nginx versions).

CRS config found here:

# OWASP ModSecurity Core Rule Set ver.3.0.0
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------


#
# -- [[ Introduction ]] --------------------------------------------------------
#
# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack
# detection rules that provide a base level of protection for any web
# application. They are written for the open source, cross-platform
# ModSecurity Web Application Firewall.
#
# See also:
# https://modsecurity.org/crs/
# https://github.com/SpiderLabs/owasp-modsecurity-crs
# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
#


#
# -- [[ System Requirements ]] -------------------------------------------------
#
# CRS requires ModSecurity version 2.8.0 or above.
# We recommend to always use the newest ModSecurity version.
#
# The configuration directives/settings in this file are used to control
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
# ModSecurity settings (modsecurity.conf) such as SecRuleEngine,
# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing.
#
# The CRS assumes that modsecurity.conf has been loaded. If you don't have this
# file, you can get it from:
# https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended
#
# The order of file inclusion in your webserver configuration should always be:
# 1. modsecurity.conf
# 2. crs-setup.conf (this file)
# 3. rules/*.conf (the CRS rule files)
#
# Please refer to the INSTALL file for detailed installation instructions.
#


#
# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] ---------------
#
# The CRS can run in two modes:
#
# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.
#
# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.
#
# -- [[ Alert Logging Control ]] --
# In the mode configuration, you must also adjust the desired logging options.
# There are three common options for dealing with logging. By default CRS enables
# logging to the webserver error log (or Event viewer) plus detailed logging to
# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf).
#
# - To log to both error log and ModSecurity audit log file, use: "log,auditlog"
# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog"
# - To log *only* to the error log file, use: "log,noauditlog"
#
# Examples for the various modes follow.
# You must leave one of the following options enabled.
# Note that you must specify the same line for phase:1 and phase:2.
#

# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
#   and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
#   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

# Example: Anomaly Scoring mode, log only to ModSecurity audit log
# - By default, offending requests are blocked with an error 403 response.
# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
#   and review section 'Changing the Disruptive Action for Anomaly Mode'.
# - In Apache, you can use ErrorDocument to show a friendly error page or
#   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,nolog,auditlog,pass"
# SecDefaultAction "phase:2,nolog,auditlog,pass"

# Example: Self-contained mode, return error 403 on blocking
# - In this configuration the default disruptive action becomes 'deny'. After a
#   rule triggers, it will stop processing the request and return an error 403.
# - You can also use a different error status, such as 404, 406, et cetera.
# - In Apache, you can use ErrorDocument to show a friendly error page or
#   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
#
# SecDefaultAction "phase:1,log,auditlog,deny,status:403"
# SecDefaultAction "phase:2,log,auditlog,deny,status:403"

# Example: Self-contained mode, redirect back to homepage on blocking
# - In this configuration the 'tag' action includes the Host header data in the
#   log. This helps to identify which virtual host triggered the rule (if any).
# - Note that this might cause redirect loops in some situations; for example
#   if a Cookie or User-Agent header is blocked, it will also be blocked when
#   the client subsequently tries to access the homepage. You can also redirect
#   to another custom URL.
# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"


#
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
#   are enabled. PL1 is advised for beginners, installations
#   covering many different sites and applications, and for setups
#   with standard security requirements.
#   At PL1 you should face FPs rarely. If you encounter FPs, please
#   open an issue on the CRS GitHub site and don't forget to attach your
#   complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
#   many regexp-based SQL and XSS injection protections, and adding
#   extra keywords checked for code injections. PL2 is advised
#   for moderate to experienced users desiring more complete coverage
#   and for installations with elevated security requirements.
#   PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
#   limits on special characters used. PL3 is aimed at users experienced
#   at the handling of FPs and at installations with a high security
#   requirement.
# - Paranoia level 4 further restricts special characters.
#   The highest level is advised for experienced users protecting
#   installations with very high security requirements. Running PL4 will
#   likely produce a very high number of FPs which have to be
#   treated before the site can go productive.
#
# Rules in paranoia level 2 or higher will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# Uncomment this rule to change the default:
#
SecAction \
  "id:900000,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:tx.paranoia_level=2"


#
# -- [[ Anomaly Mode Severity Levels ]] ----------------------------------------
#
# Each rule in the CRS has an associated severity level.
# These are the default scoring points for each severity level.
# These settings will be used to increment the anomaly score if a rule matches.
# You may adjust these points to your liking, but this is usually not needed.
#
# - CRITICAL severity: Anomaly Score of 5.
#       Mostly generated by the application attack rules (93x and 94x files).
# - ERROR severity: Anomaly Score of 4.
#       Generated mostly from outbound leakage rules (95x files).
# - WARNING severity: Anomaly Score of 3.
#       Generated mostly by malicious client rules (91x files).
# - NOTICE severity: Anomaly Score of 2.
#       Generated mostly by the protocol rules (92x files).
#
# In anomaly mode, these scores are cumulative.
# So it's possible for a request to hit multiple rules.
#
# (Note: In this file, we use 'phase:1' to set CRS configuration variables.
# In general, 'phase:request' is used. However, we want to make absolutely sure
# that all configuration variables are set before the CRS rules are processed.)
#
#SecAction \
# "id:900100,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.critical_anomaly_score=5,\
#  setvar:tx.error_anomaly_score=4,\
#  setvar:tx.warning_anomaly_score=3,\
#  setvar:tx.notice_anomaly_score=2"


#
# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------
#
# Here, you can specify at which cumulative anomaly score an inbound request,
# or outbound response, gets blocked.
#
# Most detected inbound threats will give a critical score of 5.
# Smaller violations, like violations of protocol/standards, carry lower scores.
#
# [ At default value ]
# If you keep the blocking thresholds at the defaults, the CRS will work
# similarly to previous CRS versions: a single critical rule match will cause
# the request to be blocked and logged.
#
# [ Using higher values ]
# If you want to make the CRS less sensitive, you can increase the blocking
# thresholds, for instance to 7 (which would require multiple rule matches
# before blocking) or 10 (which would require at least two critical alerts - or
# a combination of many lesser alerts), or even higher. However, increasing the
# thresholds might cause some attacks to bypass the CRS rules or your policies.
#
# [ New deployment strategy: Starting high and decreasing ]
# It is a common practice to start a fresh CRS installation with elevated
# anomaly scoring thresholds (>100) and then lower the limits as your
# confidence in the setup grows. You may also look into the Sampling
# Percentage section below for a different strategy to ease into a new
# CRS installation.
#
# [ Anomaly Threshold / Paranoia Level Quadrant ]
#
#     High Anomaly Limit   |   High Anomaly Limit
#     Low Paranoia Level   |   High Paranoia Level
#     -> Fresh Site        |   -> Experimental Site
# ------------------------------------------------------
#     Low Anomaly Limit    |   Low Anomaly Limit
#     Low Paranoia Level   |   High Paranoia Level
#     -> Standard Site     |   -> High Security Site
#
# Uncomment this rule to change the defaults:
#
#SecAction \
# "id:900110,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.inbound_anomaly_score_threshold=5,\
#  setvar:tx.outbound_anomaly_score_threshold=4"

#
# -- [[ Application Specific Rule Exclusions ]] ----------------------------------------
#
# Some well-known applications may undertake actions that appear to be
# malicious. This includes actions such as allowing HTML or Javascript within
# parameters. In such cases the CRS aims to prevent false positives by allowing
# administrators to enable prebuilt, application specific exclusions on an
# application by application basis.
# These application specific exclusions are distinct from the rules that would
# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as
# they are prebuilt for specific applications. The 'REQUEST-900' file is
# designed for users to add their own custom exclusions. Note, using these
# application specific exclusions may loosen restrictions of the CRS,
# especially if used with an application they weren't designed for. As a result
# they should be applied with care.
# To use this functionality you must specify a supported application. To do so
# uncomment rule 900130. In addition to uncommenting the rule you will need to
# specify which application(s) you'd like to enable exclusions for. Only a
# (very) limited set of applications are currently supported, please use the
# filenames prefixed with 'REQUEST-903' to guide you in your selection.
# Such filenames use the following convention:
# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf
#
# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:crs_exclusions_wordpress=1

#
# Modify and uncomment this rule to select which application:
#
#SecAction \
# "id:900130,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_exclusions_drupal=1,\
#  setvar:tx.crs_exclusions_wordpress=1"

#
# -- [[ HTTP Policy Settings ]] ------------------------------------------------
#
# This section defines your policies for the HTTP protocol, such as:
# - allowed HTTP versions, HTTP methods, allowed request Content-Types
# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy)
#
# These variables are used in the following rule files:
# - REQUEST-911-METHOD-ENFORCEMENT.conf
# - REQUEST-912-DOS-PROTECTION.conf
# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf

# HTTP methods that a client is allowed to use.
# Default: GET HEAD POST OPTIONS
# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
#          MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
# Uncomment this rule to change the default.
#SecAction \
# "id:900200,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"

# Content-Types that a client is allowed to send in a request.
# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain
# Uncomment this rule to change the default.
#SecAction \
# "id:900220,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain'"

# Allowed HTTP versions.
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so
# we include both version strings by default.
# Uncomment this rule to change the default.
#SecAction \
# "id:900230,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"

# Forbidden file extensions.
# Guards against unintended exposure of development/configuration files.
# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
# Uncomment this rule to change the default.
#SecAction \
# "id:900240,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"

# Forbidden request headers.
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/
# Uncomment this rule to change the default.
#SecAction \
# "id:900250,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"

# File extensions considered static files.
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
# Used in DoS protection rule. See section "Anti-Automation / DoS Protection".
# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
# Uncomment this rule to change the default.
#SecAction \
# "id:900260,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"


#
# -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
#
# Here you can define optional limits on HTTP get/post parameters and uploads.
# This can help to prevent application specific DoS attacks.
#
# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf.
# Beware of blocking legitimate traffic when enabling these limits.
#

# Block request if number of arguments is too high
# Default: unlimited
# Example: 255
# Uncomment this rule to set a limit.
#SecAction \
# "id:900300,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.max_num_args=255"

# Block request if the length of any argument name is too high
# Default: unlimited
# Example: 100
# Uncomment this rule to set a limit.
#SecAction \
# "id:900310,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.arg_name_length=100"

# Block request if the length of any argument value is too high
# Default: unlimited
# Example: 400
# Uncomment this rule to set a limit.
#SecAction \
# "id:900320,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.arg_length=400"

# Block request if the total length of all combined arguments is too high
# Default: unlimited
# Example: 64000
# Uncomment this rule to set a limit.
#SecAction \
# "id:900330,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.total_arg_length=64000"

# Block request if the file size of any individual uploaded file is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900340,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.max_file_size=1048576"

# Block request if the total size of all combined uploaded files is too high
# Default: unlimited
# Example: 1048576
# Uncomment this rule to set a limit.
#SecAction \
# "id:900350,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.combined_file_sizes=1048576"


#
# -- [[ Easing In / Sampling Percentage ]] -------------------------------------
#
# Adding the Core Rule Set to an existing productive site can lead to false
# positives, unexpected performance issues and other undesired side effects.
#
# It can be beneficial to test the water first by enabling the CRS for a
# limited number of requests only and then, when you have solved the issues (if
# any) and you have confidence in the setup, to raise the ratio of requests
# being sent into the ruleset.
#
# Adjust the percentage of requests that are funnelled into the Core Rules by
# setting TX.sampling_percentage below. The default is 100, meaning that every
# request gets checked by the CRS.  The selection of requests, which are going
# to be checked, is based on a pseudo random number generated by ModSecurity.
#
# If a request is allowed to pass without being checked by the CRS, there is no
# entry in the audit log (for performance reasons), but an error log entry is
# written.  If you want to disable the error log entry, then issue the
# following directive somewhere after the inclusion of the CRS
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
#
# SecRuleUpdateActionById 901150 "nolog"
#
# ATTENTION: If this TX.sampling_percentage is below 100, then some of the
# requests will bypass the Core Rules completely and you lose the ability to
# protect your service with ModSecurity.
#
# Uncomment this rule to enable this feature:
#
#SecAction "id:900400,\
#  phase:1,\
#  pass,\
#  nolog,\
#  setvar:tx.sampling_percentage=100"


#
# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------
#
# Optionally, you can check the client IP address against the Project Honey Pot
# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a
# free API key. Set it here with SecHttpBlKey.
#
# Project Honeypot returns multiple different malicious IP types.
# You may specify which you want to block by enabling or disabling them below.
#
# Ref: https://www.projecthoneypot.org/httpbl.php
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#
# Uncomment these rules to use this feature:
#
#SecHttpBlKey XXXXXXXXXXXXXXXXX
#SecAction "id:900500,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.block_search_ip=1,\
#  setvar:tx.block_suspicious_ip=1,\
#  setvar:tx.block_harvester_ip=1,\
#  setvar:tx.block_spammer_ip=1"


#
# -- [[ GeoIP Database ]] ------------------------------------------------------
#
# There are some rulesets that inspect geolocation data of the client IP address
# (geoLookup). The CRS uses geoLookup to implement optional country blocking.
#
# To use geolocation, we make use of the MaxMind GeoIP database.
# This database is not included with the CRS and must be downloaded.
# You should also update the database regularly, for instance every month.
# The CRS contains a tool to download it to util/geo-location/GeoIP.dat:
#   util/upgrade.py --geoip
#
# This product includes GeoLite data created by MaxMind, available from:
# http://www.maxmind.com.
#
# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
# Uncomment this rule to use this feature:
#
#SecGeoLookupDB util/geo-location/GeoIP.dat


#
# -=[ Block Countries ]=-
#
# Rules in the IP Reputation file can check the client against a list of high
# risk country codes. These countries have to be defined in the variable
# tx.high_risk_country_codes via their ISO 3166 two-letter country code:
# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
#
# If you are sure that you are not getting any legitimate requests from a given
# country, then you can disable all access from that country via this variable.
# The rule performing the test has the rule id 910100.
#
# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be
# downloaded (see the section "GeoIP Database" above.)
#
# By default, the list is empty. A list used by some sites was the following:
# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"
#
# Uncomment this rule to use this feature:
#
SecAction \
 "id:900600,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"


#
# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------
#
# Optional DoS protection against clients making requests too quickly.
#
# When a client is making more than 100 requests (excluding static files) within
# 60 seconds, this is considered a 'burst'. After two bursts, the client is
# blocked for 600 seconds.
#
# Requests to static files are not counted towards DoS; they are listed in the
# 'tx.static_extensions' setting, which you can change in this file (see
# section "HTTP Policy Settings").
#
# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf.
#
# Uncomment this rule to use this feature:
#
SecAction \
 "id:900700,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.dos_burst_time_slice=60',\
  setvar:'tx.dos_counter_threshold=100',\
  setvar:'tx.dos_block_timeout=600'"


#
# -- [[ Check UTF-8 encoding ]] ------------------------------------------------
#
# The CRS can optionally check request contents for invalid UTF-8 encoding.
# We only want to apply this check if UTF-8 encoding is actually used by the
# site; otherwise it will result in false positives.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900950,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_validate_utf8_encoding=1"


#
# -- [[ Blocking Based on IP Reputation ]] ------------------------------------
#
# Blocking based on reputation is permanent in the CRS. Unlike other rules,
# which look at the indvidual request, the blocking of IPs is based on
# a persistent record in the IP collection, which remains active for a
# certain amount of time.
#
# There are two ways an individual client can become flagged for blocking:
# - External information (RBL, GeoIP, etc.)
# - Internal information (Core Rules)
#
# The record in the IP collection carries a flag, which tags requests from
# individual clients with a flag named IP.reput_block_flag.
# But the flag alone is not enough to have a client blocked. There is also
# a global switch named tx.do_reput_block. This is off by default. If you set
# it to 1 (=On), requests from clients with the IP.reput_block_flag will
# be blocked for a certain duration.
#
# Variables
# ip.reput_block_flag      Blocking flag for the IP collection record
# ip.reput_block_reason    Reason (= rule message) that caused to blocking flag
# tx.do_reput_block        Switch deciding if we really block based on flag
# tx.reput_block_duration  Setting to define the duration of a block
#
# It may be important to know, that all the other core rules are skipped for
# requests, when it is clear that they carry the blocking flag in question.
#
# Uncomment this rule to use this feature:
#
#SecAction \
# "id:900960,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.do_reput_block=1"
#
# Uncomment this rule to change the blocking time:
# Default: 300 (5 minutes)
#
#SecAction \
# "id:900970,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.reput_block_duration=300"


#
# -- [[ Collection timeout ]] --------------------------------------------------
#
# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
# to a lower setting which is appropriate to most sites.
# This increases performance by cleaning out stale collection (block) entries.
#
# This value should be greater than or equal to:
# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and
# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection").
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout

# Please keep this directive uncommented.
# Default: 600 (10 minutes)
SecCollectionTimeout 600


#
# -- [[ Debug Mode ]] ----------------------------------------------------------
#
# To enable rule development and debugging, CRS has an optional debug mode
# that does not block a request, but instead sends detection information
# back to the HTTP client.
#
# This functionality is currently only supported with the Apache web server.
# The Apache mod_headers module is required.
#
# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
# response headers whenever a debug client makes a request. Example:
#
#   # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
#   X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
#                TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
#                TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
#   X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
#
# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
# This file resides in a separate folder, as it is not compatible with
# nginx and IIS.
#
# You must specify the source IP address/network where you will be running the
# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
# response headers as specified above. Be careful to only list your private
# IP addresses/networks here.
#
# Tip: for regression testing of CRS or your own ModSecurity rules, you may
# be interested in using the OWASP CRS regression testing suite instead.
# View the file util/regression-tests/README for more information.
#
# Uncomment these rules, filling in your CRS path and the source IP address,
# to enable debug mode:
#
#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf
#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
# "id:900980,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  ctl:ruleEngine=DetectionOnly,\
#  setvar:tx.crs_debug_mode=1"


#
# -- [[ End of setup ]] --------------------------------------------------------
#
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
# has been loaded. If you are not planning to use this setup template,
# you must manually set the tx.crs_setup_version variable before including
# the CRS rules/* files.
#
# The variable is a numerical representation of the CRS version number.
# E.g., v3.0.0 is represented as 300.
#
SecAction \
 "id:900990,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_setup_version=300"

/var/log/modsec_audit.log also has:

---k8xhoUPQ---B--
GET /?select%20*%20from%20information_schema.COLUMNS HTTP/1.1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 124.168.151.214
If-Modified-Since: Thu, 20 Apr 2017 00:19:07 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
X-Forwarded-Proto: http
Cookie: optimizelyEndUserId=oeu1492644723140r0.3715918435791641; f_ref=ref_url::||ld_url::http%3A//www.example.com/||date_time::1492644723; __lc.visitor_id.7607
361=S1492644725.8ba7dc371a; autoinvite_callback=true; autoinvite_callback=true; gtm_counter=2; optimizelySegments=%7B%22184548075%22%3A%22direct%22%2C%22184559157%22%3A%22gc%22
%2C%22184623069%22%3A%22false%22%2C%223053980129%22%3A%22none%22%7D; optimizelyBuckets=%7B%7D; mr_ref=ref_url::||ld_url::http%3A//www.example.com/%3Fselect%2520
*%2520from%2520information_schema.COLUMNS||date_time::1492647550; __utma=1.1087458367.1492644725.1492644726.1492647228.2; __utmc=1; __utmz=1.1492644726.1.1.utmcsr=(direct)|utmc
cn=(direct)|utmcmd=(none); _ga=GA1.3.1087458367.1492644725; lc_window_state=minimized; gtm_source=Direct; _sp_id.f81d=a4ea69cc02874029.1492644728.2.1492647555.1492644745.40a8b5
8c-b19e-43eb-957f-710e2d2826d4
Accept-Encoding: gzip, deflate, sdch
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
host: www.example.com
X-Forwarded-Port: 80
Connection: keep-alive

[maopaolinux]

hi @Menahem1
Have you solved the problem?And i also have that's the problem.
I use nginx（1.12.2）， openresty-1.11.2.2 and modsecurity v3.0.2,
can you help me?

[victorhora]

@maopaolinux try applying these patches to both libModSecurity and nginx-connector:

8285a97

owasp-modsecurity/ModSecurity-nginx@bcfe69a