Tip to get this plugin working

[STonEDSTonE]

Hi,

i just installed ModSecurity (2.9.7) and OWASP_CRS (3.3.4) for my Nextcloud installation.
As expected, nothing worked anymore, which is why I tried to install this plugin by following the mentioned https://coreruleset.org/docs/concepts/plugins/#how-to-install-a-plugin
So I created the crs/plugins folder and placed the config files inside that folder:

media@media-server:~$ ls -l /etc/modsecurity/crs/plugins/
total 28
-rw-r--r-- 1 root root 22806 Mai  9 12:14 nextcloud-rule-exclusions-before.conf
-rw-r--r-- 1 root root  1634 Mai  9 12:14 nextcloud-rule-exclusions-config.conf

But I saw no difference in appearance (browser apps do not work, desktop client can't connect) and in the audit.log, as if the plugin does not load at all:

sudo tail -f /var/log/apache2/modsec_audit.log
Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "44"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 192.168.X.X] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "44"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "REDACTED.ddns.net"] [uri "/ocs/v2.php/apps/user_status/api/v1/heartbeat"] [unique_id "ZFoiGy9GqzS5o9NoQUbhiAAAAAo"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 192.168.X.X] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "REDACTED.ddns.net"] [uri "/ocs/v2.php/apps/user_status/api/v1/heartbeat"] [unique_id "ZFoiGy9GqzS5o9NoQUbhiAAAAAo"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 192.168.X.X] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "REDACTED.ddns.net"] [uri "/index.php/error/403"] [unique_id "ZFoiGy9GqzS5o9NoQUbhiAAAAAo"]
Action: Intercepted (phase 2)
Apache-Handler: proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost
Stopwatch: 1683628571613387 72442 (- - -)
Stopwatch2: 1683628571613387 72442; combined=5290, p1=648, p2=4462, p3=0, p4=0, p5=180, sr=138, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/3.3.4.
Server: Apache/2.4.57 (Ubuntu)
Engine-Mode: "ENABLED"

So I went digging for a bit.
Apache should load the CRS from here:

media@media-server:~$ cat /etc/apache2/mods-enabled/security2.conf
<IfModule security2_module>
        ...
	# Include OWASP ModSecurity CRS rules if installed
	IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
</IfModule>

And in the .load file it should load the config files:

media@media-server:~$ cat /usr/share/modsecurity-crs/owasp-crs.load
##
## This file loads OWASP CRS's rules when the package is installed
## It is Included by libapache2-mod-security2
##
Include /etc/modsecurity/crs/crs-setup.conf
IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/share/modsecurity-crs/rules/*.conf
IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

I felt like there should be a Include in that file for the plugins, so i put those in myself:
Include /etc/modsecurity/crs/plugins/-config.conf
Include /etc/modsecurity/crs/plugins/-before.conf

And now it works.
That took me a bit of time so I thought I would share this here, it would be nice if this information could be put into https://github.com/coreruleset/nextcloud-rule-exclusions-plugin#installation so others can save some time and hassle :)

[azurit]

Hi,

you can find this information here:
https://coreruleset.org/docs/concepts/plugins/#how-do-plugins-work-conceptually

Plugins are a new feature which will be included in CRS 4.0, so older versions are not prepared for them and needs to be adjusted.