C
CrowdSecβ€’2mo ago
GNU Plus Windows User

ModSecurity parser not parsing response rules (Phase 4)

$ sudo cscli explain --file test_error.log --type modsecurity 
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/user/0/cscli_explain4047805967/parser-dump.yaml
line: 2025/10/27 19:47:46 [error] 273240#273240: *657 [client 1.1.1.1] ModSecurity: Access denied with code 403 (phase 4). Matched "Operator `Contains' with parameter `evil.webshell' against variable `RESPONSE_BODY' (Value: `<title> evil.webshell </title>\x0a<h1> evil.webshell </h1>\x0a' ) [file "/etc/modsecurity/test.conf"] [line "190"] [id "955003"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/evil-webshell.txt"] [unique_id "176155486667.073983"] [ref "o8,13v619,56"] while sending to client, client: 1.1.1.1, server: example.com, request: "GET /evil-webshell.txt HTTP/2.0", upstream: "https://2.2.2.2:443/evil-webshell.txt", host: "example.com"
        β”œ s00-raw
        |       β”œ πŸ”΄ crowdsecurity/syslog-logs
        |       β”” 🟒 crowdsecurity/non-syslog (+5 ~8)
        β”œ s01-parse
        |       β”œ πŸ”΄ crowdsecurity/auditd-logs
        |       β”œ πŸ”΄ crowdsecurity/modsecurity
        |       β”œ πŸ”΄ crowdsecurity/nginx-logs
        |       β”œ πŸ”΄ crowdsecurity/pkexec-logs
        |       β”œ πŸ”΄ crowdsecurity/segfault-logs
        |       β”” πŸ”΄ crowdsecurity/sshd-logs
        β””-------- parser failure πŸ”΄
WARNING Line 0/1 is missing evt.StrTime. It is most likely a mistake as it will prevent your logs to be processed in time-machine/forensic mode.  file=/tmp/user/0/cscli_explain4047805967/parser-dump.yaml
line: 2025/10/27 19:47:46 [error] 273240#273240: *657 [client 1.1.1.1] ModSecurity: Access denied with code 403 (phase 4). Matched "Operator `Contains' with parameter `evil.webshell' against variable `RESPONSE_BODY' (Value: `<title> evil.webshell </title>\x0a<h1> evil.webshell </h1>\x0a' ) [file "/etc/modsecurity/test.conf"] [line "190"] [id "955003"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/evil-webshell.txt"] [unique_id "176155486667.073983"] [ref "o8,13v619,56"] while sending to client, client: 1.1.1.1, server: example.com, request: "GET /evil-webshell.txt HTTP/2.0", upstream: "https://2.2.2.2:443/evil-webshell.txt", host: "example.com"
        β”œ s00-raw
        |       β”œ πŸ”΄ crowdsecurity/syslog-logs
        |       β”” 🟒 crowdsecurity/non-syslog (+5 ~8)
        β”œ s01-parse
        |       β”œ πŸ”΄ crowdsecurity/auditd-logs
        |       β”œ πŸ”΄ crowdsecurity/modsecurity
        |       β”œ πŸ”΄ crowdsecurity/nginx-logs
        |       β”œ πŸ”΄ crowdsecurity/pkexec-logs
        |       β”œ πŸ”΄ crowdsecurity/segfault-logs
        |       β”” πŸ”΄ crowdsecurity/sshd-logs
        β””-------- parser failure πŸ”΄
OS: Ubuntu 24.04 CrowdSec Version: 1.7.2 ModSec version: libModSecurity3 v3.0.14 NGINX Version: 1.24.0
7 Replies
CrowdSec
CrowdSecβ€’2mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❀️
Loz
Lozβ€’2mo ago
https://github.com/crowdsecurity/hub/pull/1552
GitHub
fix: add support for modsecurity phase 4 (response body) parsing by...
Description Update modsecurity parser to capture phase information in &amp;#39;Access denied&amp;#39; format Capture HTTP status code from Access denied logs Add test case for phase 4 response bod...
GNU Plus Windows User
GNU Plus Windows UserOPβ€’2mo ago
The log line you added to the test isn't the same as the one I gave you, my original log line still isn't parsing. I think the issue is with the upstream: part of the log line.
Loz
Lozβ€’2mo ago
my bad it's this https://github.com/crowdsecurity/hub/pull/1554
GitHub
fix(parsers): Add upstream and 'while sending to client' support to...
…odsecurity nginx parser Resolves issue where modsecurity nginx logs containing upstream proxy information were failing to parse correctly. Description Updated NGINXERRORSUFFIX pattern to handle ...
Loz
Lozβ€’2mo ago
it the while sending to client infront of client ip and upstream
GNU Plus Windows User
GNU Plus Windows UserOPβ€’2mo ago
awesome, everything works great now
CrowdSec
CrowdSecβ€’2mo ago
Resolving ModSecurity parser not parsing response rules (Phase 4) This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?