ModSecurity rules triggered but not blocking the attacker
Hi,
Just saw that ModSecurity rules are triggered but not blocking the attacker?
In the /usr/local/apache/logs/error_log I see:
But I dont see the attacker being "Access denied" Any idea why? Thank you!
[Mon Jul 06 11:45:30.605637 2020] [:error] [pid 14579:tid 47073841063680] [client 50.87.144.91:37724] [client 50.87.144.91] ModSecurity: Warning. Pattern match "(?i:(?:\\\\s*?(?:exec|execute).*?(?:\\\\W)xp_cmdshell)|(?:[\\"'`]\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`];?\\\\s*?(?:select|union|having)\\\\b\\\\s*?[^\\\\s])|(?:\\\\wiif ..." at ARGS:s. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"> [line "61"> [id "942190"> [rev "2"> [msg "Detects MSSQL code execution and information gathering attempts"> [data "Matched Data: union all select found within ARGS:s: e9df86de0cc5b1f99884715e695722da '-6863 union all select CONCAT(0x3a6f79753a,0x4244764877697569706b,0x3a70687a3a)1,1,1,1#"> [severity "CRITICAL">[ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "8"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-sqli"> [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"> [tag "WASCTC/WASC-19"> [tag "OWASP_TOP_10/A1"> [tag "OWASP_AppSensor/CIE1"> [tag "PCI/6.5.2"> [hostname "www.mobinuke.com"> [uri "/activity.php"> [unique_id "XwLkqnDNqLQBB@MMoe6MvQAAAA0">
But I dont see the attacker being "Access denied" Any idea why? Thank you!
-
I just uninstalled and installed OWASP again and now is working! The case is solved! 0 -
The log line you posted is only one of many mod-security rule hits for that http request. If you run the command... grep -n 'XwLkqnDNqLQBB@MMoe6MvQAAAA0' /usr/local/apache/logs/error_log
you will see the other log lines for that request, all with identical timestamps and unique_id and with consecutive line numbers in the log. The second last mod-security rule hit log line, rule [id "949110">, will have the text...ModSecurity: Access denied with code 403 (phase 2)
0 -
Thank you @fuzzylogic for that answer and @masterross I'm glad to see the issue is now resolved. 0 -
Is there a way to tell have Mod_Security banned IPs also banned in CSF firewall ? If an IP is behaving badly, I'd like to ban it server wide. 0 -
Oh I think I found the answer here: @fuzzylogic :) 0
Please sign in to leave a comment.
Comments
5 comments