Modsec found critical issue, but did nothing about it?

subtopic

• February 27, 2019 20:09

I guess I don't understand how modsec works. How did it log this error, but seemingly do nothing about it? Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"> [line "33"> [id "913100"> [rev "2"> [msg "Found User-Agent associated with security scanner"> [data "Matched Data: masscan found within REQUEST_HEADERS:User-Agent: masscan/1.0 (blah/masscan)"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "9"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-reputation-scanner"> [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"> [tag "WASCTC/WASC-21"> [tag "OWASP_TOP_10/A7"> [tag "PCI/6.5.10">

• 

  fuzzylogic

  • February 28, 2019 02:02

  In WHM go to... Home " Security Center " ModSecurity" Tools " Hits List Use the search box there. Search for "security scanner" In the list of results find the one that your thread is about. Copy the IP of the line you choose. Paste it into the search box. In the list of results find the one that your thread is about. There should be a group of 3 hits with the same timestamp (all from the same http request) It should look like this... 2019-02-28 12:54:58 domain.com xxx.xxx.xxx.xxx CRITICAL 403 913100:Found User-Agent associated with security scanner 2019-02-28 12:54:58 domain.com xxx.xxx.xxx.xxx CRITICAL 403 949110:Inbound Anomaly Score Exceeded (Total score 5) 2019-02-28 12:54:58 domain.com xxx.xxx.xxx.xxx 403 980130:Inbound Anomaly Score Exceeded Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner
  The 1st is the hit you posted. (It set the tx.anomaly_score variable to the default CRITICAL value of 5 ) The 2nd is the rule with the 403 Deny action (It is a hit because it read the tx.anomaly_score value which was above the default threshhold) The 3rd is a logging rule which does nothing except write a log of anomaly score category values plus messages from previous rules. If you don't have all 3 hits for the request then you will need to troubleshoot the reason why. Most likely reason would be that you have disabled rule 949110 (should never do this) Other reason can be that in WHM... Home " Security Center " ModSecurity" Configuration " Configure Global Directives You have the following Rules Engine setting selected... Process the rules in verbose mode, but do not execute disruptive actions.

  0
• 

  cPanelMichael

  • March 01, 2019 16:00

  Hello @subtopic, The information in the previous post should address your concern. Let us know if you have any additional questions. Thank you.

  0
• 

  subtopic

  • March 11, 2019 19:51

  Thank you for the advice. For my server it says hit list is empty, even when I search for 'security scanner'.

  0
• 

  cPanelMichael

  • March 13, 2019 17:28

  For my server it says hit list is empty, even when I search for 'security scanner'.

  
  Hello @subtopic, Feel free to open a

  0
• 

  subtopic

  • March 14, 2019 03:54

  11665021

  0
• 

  cPanelMichael

  • March 18, 2019 16:27

  Hello, To update, the ModSecLog service was disabled in WHM >> Service Manager. This lead to the lack of results in the Hits List interface. Enabling the service addressed the issue. Thank you.

  0
• 

  subtopic

  • March 18, 2019 19:03

  Yep, thank you for the help. Have a good one.

  0

Please sign in to leave a comment.