owasp-modsecurity-crs detected but not deny the request

Question

I built Nginx 1.10.3 with ModSecurity and owasp-modsecurity-crs, and test it with curl. From the nginx log, it works since it has already been detected with rules, but the client still get http response success, not the expected deny response like 403.

Could you please help? is there any addtional configuration are required?

[sib@sib ~]$ curl -H "User-Agent: Nikto" http://15.116.78.110
...
Welcome to nginx!
...

The nginx error.log:

2017/09/20 20:11:14 [error] 20545#0: [client 15.116.79.38] ModSecurity: Warning. Matched phrase "nikto" at REQUEST_HEADERS:User-Agent. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "60"] [id "913100"] [rev "2"] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: nikto found within REQUEST_HEADERS:User-Agent: nikto"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname ""] [uri "/"] [unique_id "AcAcAcdcAcAcscAcRcAclc8T"]

Answer 1

I have found the solution below:

The INSTALL file says you need to load the rule files explicitly for Nginx because Nginx does not use alphabetical load order by itself. You used the Apache Include form *.conf which resulted in Nginx evaluating the Anomaly Score before your rule triggered. (-> 949 file was loaded before the 942 file).

Load them as follows and you should be OK:

include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
...
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf