Append and not overwrite configs in waf_modsec, cleanup

honeytraps/waf_modsec/Dockerfile

@@ -1,5 +1,4 @@
 FROM owasp/modsecurity-crs
-COPY httpd.conf /usr/local/apache2/conf/httpd.conf
 RUN apt install -y wget nano curl
 RUN wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.4.2-amd64.deb
 RUN dpkg -i filebeat-7.4.2-amd64.deb
@@ -9,6 +8,9 @@ COPY modsec_entry.sh /
 COPY robots.txt /home/
 COPY index.html /usr/local/apache2/htdocs/
 COPY login.html /usr/local/apache2/htdocs/
-COPY modsecurity.conf /etc/modsecurity.d/
+COPY httpd-extension.conf /app/httpd-extension.conf
+COPY modsecurity-extension.conf /app/modsecurity-extension.conf
+RUN cat /app/httpd-extension.conf >> /usr/local/apache2/conf/httpd.conf
+RUN cat /app/modsecurity-extension.conf >> /etc/modsecurity.d/modsecurity.conf
 RUN chmod +x /modsec_entry.sh
 CMD ["/modsec_entry.sh"]

honeytraps/waf_modsec/example-formatted-log-message.txt

@@ -0,0 +1,202 @@
+Warning. Found 9 byte(s) in ARGS:q outside range: 38,44-46,48-58,61,65-90,95,97-122. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
+	[line "1391"]
+	[id "920273"]
+	[msg "Invalid character in request (outside of very strict set)"]
+	[data "ARGS:q=\x22><script>alert(1)</script>"]
+	[severity "CRITICAL"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"]
+	[tag "language-multi"]
+	[tag "platform-multi"]
+	[tag "attack-protocol"]
+	[tag "OWASP_CRS"]
+	[tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
+	[tag "paranoia-level/4"],
+Warning. detected XSS using libinjection. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] 
+	[line "59"] 
+	[id "941100"] 
+	[msg "XSS Attack Detected via libinjection"] 
+	[data "Matched Data: XSS data found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "CRITICAL"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-xss"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/XSS"] 
+	[tag "WASCTC/WASC-8"] 
+	[tag "WASCTC/WASC-22"] 
+	[tag "OWASP_TOP_10/A3"] 
+	[tag "OWASP_AppSensor/IE1"] 
+	[tag "CAPEC-242"],
+Warning. Pattern match "(?i)<script[^>]*>[\\s\\S]*?" at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] 
+	[line "90"] 
+	[id "941110"] 
+	[msg "XSS Filter - Category 1: Script Tag Vector"] 
+	[data "Matched Data: <script> found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "CRITICAL"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-xss"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/XSS"] 
+	[tag "WASCTC/WASC-8"] 
+	[tag "WASCTC/WASC-22"] 
+	[tag "OWASP_TOP_10/A3"] 
+	[tag "OWASP_AppSensor/IE1"] 
+	[tag "CAPEC-242"], 
+Warning. Pattern match "(?i:(?:<\\w[\\s\\S]*[\\s\\/]|['\"](?:[\\s\\S]*[\\s\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] 
+	[line "218"] 
+	[id "941160"] 
+	[msg "NoScript XSS InjectionChecker: HTML Injection"] 
+	[data "Matched Data: <script found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "CRITICAL"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-xss"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/XSS"] 
+	[tag "WASCTC/WASC-8"] 
+	[tag "WASCTC/WASC-22"] 
+	[tag "OWASP_TOP_10/A3"] 
+	[tag "OWASP_AppSensor/IE1"] 
+	[tag "CAPEC-242"], 
+Warning. Pattern match "<(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head ..." at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] 
+	[line "879"] 
+	[id "941320"] 
+	[msg "Possible XSS Attack Detected - HTML Tag Handler"] 
+	[data "Matched Data: <script> found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "CRITICAL"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-xss"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/XSS"] 
+	[tag "WASCTC/WASC-8"] 
+	[tag "WASCTC/WASC-22"] 
+	[tag "OWASP_TOP_10/A2"] 
+	[tag "OWASP_AppSensor/IE1"] 
+	[tag "PCI/6.5.1"] 
+	[tag "paranoia-level/2"],
+Warning. Pattern match "(?:^\\s*[\"'`;]+|[\"'`]+\\s*$)" at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
+	[line "550"] 
+	[id "942110"] 
+	[msg "SQL Injection Attack: Common Injection Testing Detected"] 
+	[data "Matched Data: \x22 found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "WARNING"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-sqli"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] 
+	[tag "WASCTC/WASC-19"] 
+	[tag "OWASP_TOP_10/A1"] 
+	[tag "OWASP_AppSensor/CIE1"] 
+	[tag "PCI/6.5.2"] 
+	[tag "paranoia-level/2"],
+Warning. Pattern match "(?i:[\\s'\"`()]*?([\\d\\w]++)[\\s'\"`()]*?(?:<(?:=(?:[\\s'\"`()]*?(?!\\1)[\\d\\w]+|>[\\s'\"`()]*?(?:\\1))|>?[\\s'\"`()]*?(?!\\1)[\\d\\w]+)|(?:not\\s+(?:regexp|like)|is\\s+not|>=?|!=|\\^)[\\s'\"`()]*?(?!\\1)[\\d\\w]+|(?:(?:sounds\\s+)?like|r(?:egexp|lik ..." at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] 
+	[line "628"] 
+	[id "942130"]
+	[msg "SQL Injection Attack: SQL Tautology Detected."] 
+	[data "Matched Data: script>alert found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "CRITICAL"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-sqli"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] 
+	[tag "WASCTC/WASC-19"] 
+	[tag "OWASP_TOP_10/A1"] 
+	[tag "OWASP_AppSensor/CIE1"] 
+	[tag "PCI/6.5.2"] 
+	[tag "paranoia-level/2"],
+Warning. Pattern match "(?i:[\"'`]\\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\\|\\||and|div|&&)\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|like(?:\\s+[\\s\\w]+=\\s*?\\w+\\s*?having\\s+|\\W*?[\"'`\\d])|[^?\\w\\s=.,;)(]++\\s*?[(@\"'`]*?\\s*?\\w+\\W+\\w|\\*\\s*?\\w+\\W+[\"'`])|(?:unio ..." at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] 
+	[line "803"] 
+	[id "942260"] 
+	[msg "Detects basic SQL authentication bypass attempts 2/3"] 
+	[data "Matched Data: \x22><script>a found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "CRITICAL"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-sqli"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] 
+	[tag "WASCTC/WASC-19"] 
+	[tag "OWASP_TOP_10/A1"] 
+	[tag "OWASP_AppSensor/CIE1"] 
+	[tag "PCI/6.5.2"] 
+	[tag "paranoia-level/2"],
+Warning. Pattern match "((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){6})" at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] 
+	[line "1526"] 
+	[id "942431"] 
+	[msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)"] 
+	[data "Matched Data: \x22><script>alert(1) found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "WARNING"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-sqli"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] 
+	[tag "WASCTC/WASC-19"] 
+	[tag "OWASP_TOP_10/A1"] 
+	[tag "OWASP_AppSensor/CIE1"] 
+	[tag "PCI/6.5.2"] 
+	[tag "paranoia-level/3"], 
+Warning. Pattern match "((?:[~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>][^~!@#\\$%\\^&\\*\\(\\)\\-\\+=\\{\\}\\[\\]\\|:;\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98`<>]*?){2})" at ARGS:q. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] 
+	[line "1717"] 
+	[id "942432"] 
+	[msg "Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)"] 
+	[data "Matched Data: \x22> found within ARGS:q: \x22><script>alert(1)</script>"] 
+	[severity "WARNING"] 
+	[ver "OWASP_CRS/3.2.0"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-sqli"] 
+	[tag "OWASP_CRS"] 
+	[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] 
+	[tag "WASCTC/WASC-19"] 
+	[tag "OWASP_TOP_10/A1"] 
+	[tag "OWASP_AppSensor/CIE1"] 
+	[tag "PCI/6.5.2"] 
+	[tag "paranoia-level/4"],
+Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] 
+	[line "91"] 
+	[id "949110"] 
+	[msg "Inbound Anomaly Score Exceeded (Total Score: 44)"] [severity "CRITICAL"] 
+	[tag "application-multi"] 
+	[tag "language-multi"] 
+	[tag "platform-multi"] 
+	[tag "attack-generic"],
+Warning. Operator GE matched 5 at TX:inbound_anomaly_score. 
+	[file "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] 
+	[line "86"] 
+	[id "980130"] 
+	[msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 44 - SQLI=19,XSS=20,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 18, 3, 8"]
+	[tag "event-correlation"]