Why don't the CRS rules in ModSecurity block all threats?

Question

I'm in the process of configuring the new Ngnix v1.18.0 server together with ModSecurity-nginx v1.0.1. I've added OWASP CRS 3.3.0 rules to the configuration. Unfortunately, I can't clearly tell if the rules are working. While reading blogs and articles about it I saw 3 possibilities to determine it:

curl -H "User-Agent: Nobody" http://5x.xx.xx.xxx:8085, curl http://5x.xx.xx.xxx:8085/?exec=/bin/bash, curl -I 'http://5x.xx.xx.xxx:8085/?param="><script>alert(1);</script>' --insecurecle.

None of these methods block access through code 403. I didn't notice any logs for these events while executing these commands. The logs /var/log/modsec_audit.log actually contain some information that would indicate that CRS rules are working... What could be the reason for such action ?

The modsec_audit.log file contains reports like this:

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `51.83.131.157' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "718"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "51.83.131.157"] [severity "4"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "5x.xx.xx.xxx"] [uri "/api/v1"] [unique_id "1603116449"] [ref "o0,13v27,13"]

My file main.conf:

# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf

# A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

# OWASP CRS v3.3.0 rules
Include /usr/local/coreruleset-3.3.0/crs-setup.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-901-INITIALIZATION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-910-IP-REPUTATION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-912-DOS-PROTECTION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include /usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /usr/local/coreruleset-3.3.0/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /usr/local/coreruleset-3.3.0/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /usr/local/coreruleset-3.3.0/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

Answer 1

The rule 920350 was triggered, because you sent your request to an IP address, not to a host name. If your application doesn't have any DNS entry, make an entry in your /etc/hosts file, and set your server for that name. Then you have to sent your request like this: curl http://your.dns.name:8085/?exec=/bin/bash - if you get the status 403, and you see this in your log, then your engine works.

Note, that is your SecRuleEngine is set to DetectOnly, you will see the request and the results in your log, but you wont get 403. You must change this setting to On.