ModSecurity Tools not logging all hits

verdon

• March 23, 2023 07:59

Hi. I'm not convinced that all hits to mod_security are showing up in ModSecurity Tools > Hits List. There are lots of results in there, but I'm fairly sure not all. Is that possible?

• 

  verdon

  • March 23, 2023 13:24

  I have found hits in /usr/local/apache/logs/error_log that are not in ModSecurity Tools > Hits List. I am using LiteSpeed (default cpanel setup). Should I be looking somewhere else? Is it possible Litespeed is logging somewhere else that ModSecurity Tools is not looking at?

  0
• 

  verdon

  • March 23, 2023 13:37

  Litespeed is configured to use /var/log/apache2/error_log but the contents of those logs look the same (at least for the period in question).

  0
• 

  quietFinn

  • March 23, 2023 13:50

  They are the same log

  0
• 

  verdon

  • March 23, 2023 14:05

  @quietFinn Thanks. I thought so, but wasn't 100% sure. Must be a hard link.

  0
• 

  verdon

  • March 23, 2023 14:10

  So here's an example... there are several of these in the log, yet they are not in the ModSecurity Tools > Hits List 2023-03-22 12:52:10.867317 [NOTICE] [39665] [T4] [xx.xx.xx.xx:61822-H3:33C54DC092A3054D-52#APVH_xx.xx.xx.xx:443_xx.xx.com] [MODSEC] mod_security rule [id "211080"> at [/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf:150] triggered! [Wed Mar 22 12:52:10.865969 2023] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'MATCHED_VAR' '@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):"> [id "211080"> [rev "2"> [msg "COMODO WAF: HTTP Response Splitting Attack||xx.xx.com|F|2"> [logdata "Matched Data: ..."> [severity "CRITICAL"> [tag "CWAF"> [tag "Protocol"> [hostname "xx.xx.com"> [uri "/wp-admin/admin.php?page=wpjb-job&action=add">, referer: https://xx.xx.com/wp-admin/admin.php?page=wpjb-job&action=add
  

  0
• 

  quietFinn

  • March 23, 2023 15:13

  Seems you are using Comodo's rules. They are not supported by the current ModSecurity version (should be 2.9.7).

  0
• 

  verdon

  • March 24, 2023 01:14

  @quietFinn yes, you're right. I've been using these rules so long, I forgot. I used the OWASP rules for a little while when first introduced by cPanel, but I had so much trouble with false positives, I went back to the Comodo rules that had been working for me. I guess I have to switch now :)

  0
• 

  cPRex Jurassic Moderator

  • March 29, 2023 14:24

  Are you running mod_ruid2 on the server? I don't think you would be because you mentioned Litespeed earlier, but just wanted to clarify.

  0
• 

  verdon

  • March 29, 2023 14:30

  Are you running mod_ruid2 on the server? I don't think you would be because you mentioned Litespeed earlier, but just wanted to clarify.

  
  Hi. Thanks. No, I am not. Yes, I am running Litespeed. Here are the mods I am running Apache 2.4 [LIST]

  config

  config-runtime

  mod_asis

  mod_bwlimited

  mod_cgid

  mod_deflate

  mod_env

  mod_expires

  mod_headers

  mod_mpm_worker

  mod_proxy

  mod_proxy_fcgi

  mod_proxy_http

  mod_proxy_wstunnel

  mod_security2

  mod_ssl

  mod_suexec

  mod_suphp

  mod_unique_id

  mod_version

  tools

  0
• 

  cPRex Jurassic Moderator

  • March 29, 2023 14:31

  Thanks - I just wanted to confirm since there is an known issue with hits not being logged and ruid2. At this point, it's probably best to submit a ticket to our team so we can do some additional testing.

  0
• 

  verdon

  • March 29, 2023 14:42

  @cPRex Thanks :-)

  0
• 

  cPRex Jurassic Moderator

  • March 29, 2023 14:46

  Sure thing - if you are able to submit a ticket, please post the number here so I can follow along.

  0
• 

  verdon

  • March 29, 2023 14:54

  Sure thing - if you are able to submit a ticket, please post the number here so I can follow along.

  
  94949031

  0
• 

  cPRex Jurassic Moderator

  • March 29, 2023 14:55

  Thanks for that - I'm following along with that ticket now.

  0
• 

  verdon

  • April 12, 2023 14:28

  I just wanted to bring a summary here. After some back and forth and trying a few controlled tests, there were two things going on. The first issue was that when using Litespeed, you should tweak the type of logging used by mod_security. [INDENT=2]
  The second thing is that the ModSecurity Tools > Hits List in WHM does not log all activity by design, to keep the volume in there down. I can't say I'm thrilled about that. A logging tool that only shows some events seems more misleading than useful, but it is what it is. [QUOTE]I understand the confusion that the Hits List might cause for not reporting every rule. The list tries to grab the most relevant results from the logs to help reduce the potentially large amount of noise that can be generated on an active server when ModSecurity is enabled. Our most current documentation for this feature is in the following two articles: Though, the exact algorithm is not documented as to which rules make the Hits List interface. WHM tries to simplify many operations to make running a web server easier than directly interfacing with the services, but this can sometimes come with a limitation when having more advanced needs. For those with more advanced needs, searching the full logs for the ModSecurity hits is recommended to ensure all the information you need can be found, and you can whitelist the rule manually through WHM.
  In any case, great support as always from cPanel. Thanks.

  0
• 

  cPRex Jurassic Moderator

  • April 13, 2023 12:52

  Thanks so much for sharing!

  0

Please sign in to leave a comment.