owasp-modsecurity · qix67 · Mar 22, 2021
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
@@ -139,6 +139,8 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
     intervention.log = NULL;
     intervention.disruptive = 0;
     ngx_http_modsecurity_ctx_t *ctx = NULL;
+    const char *severity;
+    ngx_uint_t ngxloglevel = NGX_LOG_ERR;
 
     dd("processing intervention");
 
@@ -158,7 +160,52 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
         log = "(no log message was specified)";
     }
 
-    ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);
+    // extract modsecurity severity level from message
+    severity = strstr(log, "[severity \"");
+
+    if(severity != NULL)
+    {
+        int loglevel;
+
+        loglevel = atoi(severity + strlen("[severity \""));
+
+        switch(loglevel)
+        {
+            case 0:     //EMERGENCY: is generated from correlation of anomaly scoring data where there is an inbound attack and an outbound leakage.
+                        ngxloglevel = NGX_LOG_EMERG;    //Emergency error level
+                        break;
+
+            case 1:     //ALERT: is generated from correlation where there is an inbound attack and an outbound application level error.
+                        ngxloglevel = NGX_LOG_ALERT;    // Alert error level
+                        break;
+
+            case 2:     //CRITICAL: Anomaly Score of 5. Is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files).
+                        ngxloglevel = NGX_LOG_CRIT;    // Critical error level
+                        break;
+
+            case 3:     //ERROR: Error - Anomaly Score of 4. Is generated mostly from outbound leakage rules (50 level files).
+                        ngxloglevel = NGX_LOG_ERR;        // Error level
+                        break;
+
+            case 4:     //WARNING: Anomaly Score of 3. Is generated by malicious client rules (35 level files).
+                        ngxloglevel = NGX_LOG_WARN;    // Warning level
+                        break;
+
+            case 5:     //NOTICE: Anomaly Score of 2. Is generated by the Protocol policy and anomaly files.
+                        ngxloglevel = NGX_LOG_NOTICE;    // Notice level
+                        break;
+
+            case 6:     //INFO
+                        ngxloglevel = NGX_LOG_INFO;    // Information level
+                        break;
+
+            case 7:     //DEBUG
+                        ngxloglevel = NGX_LOG_DEBUG;    // Debug level
+                        break;
+        }
+    }
+
+    ngx_log_error(ngxloglevel, (ngx_log_t *)r->connection->log, 0, "%s", log);
 
     if (intervention.log != NULL) {
         free(intervention.log);