From 8dca4aa92eba02db1dc94c47b4b389abde4c7304 Mon Sep 17 00:00:00 2001
From: Eric PREVOTEAU <eric.prevoteau@ac-strasbourg.fr>
Date: Mon, 22 Mar 2021 09:11:43 +0100
Subject: [PATCH] Adjust nginx log level according to modsecurity severity
 level

Without this patch, whatever severity level in modsecurity message, it
appears as 'error' in nginx error.log file.

This patch modifies this behavior. When a severity level is present, it
is used as nginx log level else 'error' nginx log level is used.
---
 src/ngx_http_modsecurity_module.c | 49 ++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
index b6f33f5..c2bc143 100644
--- a/src/ngx_http_modsecurity_module.c
+++ b/src/ngx_http_modsecurity_module.c
@@ -139,6 +139,8 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
     intervention.log = NULL;
     intervention.disruptive = 0;
     ngx_http_modsecurity_ctx_t *ctx = NULL;
+    const char *severity;
+    ngx_uint_t ngxloglevel = NGX_LOG_ERR;
 
     dd("processing intervention");
 
@@ -158,7 +160,52 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
         log = "(no log message was specified)";
     }
 
-    ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);
+    // extract modsecurity severity level from message
+    severity = strstr(log, "[severity \"");
+
+    if(severity != NULL)
+    {
+        int loglevel;
+
+        loglevel = atoi(severity + strlen("[severity \""));
+
+        switch(loglevel)
+        {
+            case 0:     //EMERGENCY: is generated from correlation of anomaly scoring data where there is an inbound attack and an outbound leakage.
+                        ngxloglevel = NGX_LOG_EMERG;    //Emergency error level
+                        break;
+
+            case 1:     //ALERT: is generated from correlation where there is an inbound attack and an outbound application level error.
+                        ngxloglevel = NGX_LOG_ALERT;    // Alert error level
+                        break;
+
+            case 2:     //CRITICAL: Anomaly Score of 5. Is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files).
+                        ngxloglevel = NGX_LOG_CRIT;    // Critical error level
+                        break;
+
+            case 3:     //ERROR: Error - Anomaly Score of 4. Is generated mostly from outbound leakage rules (50 level files).
+                        ngxloglevel = NGX_LOG_ERR;        // Error level
+                        break;
+
+            case 4:     //WARNING: Anomaly Score of 3. Is generated by malicious client rules (35 level files).
+                        ngxloglevel = NGX_LOG_WARN;    // Warning level
+                        break;
+
+            case 5:     //NOTICE: Anomaly Score of 2. Is generated by the Protocol policy and anomaly files.
+                        ngxloglevel = NGX_LOG_NOTICE;    // Notice level
+                        break;
+
+            case 6:     //INFO
+                        ngxloglevel = NGX_LOG_INFO;    // Information level
+                        break;
+
+            case 7:     //DEBUG
+                        ngxloglevel = NGX_LOG_DEBUG;    // Debug level
+                        break;
+        }
+    }
+
+    ngx_log_error(ngxloglevel, (ngx_log_t *)r->connection->log, 0, "%s", log);
 
     if (intervention.log != NULL) {
         free(intervention.log);