Description
Hi gurus
Im having problems trying to configure SecDataDir param on my current setup, when the parameter is activated on modsecurity.conf I stop getting data in my audit file, and these files are created empty in my folder
DefaultAppPool-global.dir
DefaultAppPool-global.pag
DefaultAppPool-ip.dir
DefaultAppPool-ip.pag
My application runs fine but no log is generated in the audit.
Can someone please help me on what Im doing wrong with this SecDataDir to fix it.
Here is my setup
Base docker image is mcr.microsoft.com/dotnet/framework/aspnet:4.8
My application is ASP.net
ModSecurity version 3, msi installer
CoreRuleSet coreruleset-3.4-dev
ModSecurity.conf contents
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecStreamInBodyInspection On
SecRule ARGS, "zzz" phase:1,log,deny,status:503,id:1
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap+|/)|text/)xml"
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "application/json"
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0"
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0"
"id:'200003',phase:2,t:none,log,deny,status:400,
msg:'Multipart request body failed strict validation:
PE %{REQBODY_PROCESSOR_ERROR},
BQ %{MULTIPART_BOUNDARY_QUOTED},
BW %{MULTIPART_BOUNDARY_WHITESPACE},
DB %{MULTIPART_DATA_BEFORE},
DA %{MULTIPART_DATA_AFTER},
HF %{MULTIPART_HEADER_FOLDING},
LF %{MULTIPART_LF_LINE},
SM %{MULTIPART_MISSING_SEMICOLON},
IQ %{MULTIPART_INVALID_QUOTING},
IP %{MULTIPART_INVALID_PART},
IH %{MULTIPART_INVALID_HEADER_FOLDING},
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1"
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@Streq 0"
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir C:\inetpub\temp
SecDataDir C:\inetpub\temp
SecDebugLog C:\inetpub\logs\debug.log
SecDebugLogLevel 3
SecAuditLogType Serial
SecAuditLog C:\inetpub\logs\modsecurity_audit.log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogStorageDir C:\inetpub\logs
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127
SecStatusEngine On
crs-setup.conf is default
modsecurity_iis.conf
Include modsecurity.conf
Include crs-setup.conf
Include owasp_crs\rules*.conf
Audit log when parameter is deactivated
--23480000-H--
Message: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.
Message: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "10.244.0.217_14e2560bfa3cd3a5250d92225315673dde28bb9a"). Use SecDataDir to define data directory first.
Apache-Handler: IIS
Stopwatch: 1605798105876665 2985738 (- - -)
Stopwatch2: 1605798105876665 2985738; combined=15609, p1=0, p2=0, p3=0, p4=15609, p5=0, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for IIS (STABLE)/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: ModSecurity Standalone
Engine-Mode: "DETECTION_ONLY"