ModSecurity OWASP 960009 catching PayPal IPN

angelleye

• June 09, 2015 13:35

I just enabled the OWASP rules on my server and ran a test PayPal IPN from their simulator. The data was able to hit my script and run just fine, but it seemed kind of slow, and when I look at the ModSecurity Tools log I do see that it triggered a notice. NOTICE 200 960009: Request Missing a User Agent Header Request: POST /?AngellEYE_Paypal_Ipn_For_Wordpress&action=ipn_handler Action Description: Warning. Justification: Operator EQ matched 0 at REQUEST_HEADERS. How can I customize this rule to allow this without triggering a notice? I guess I would have the same question for any general customization I want to make. I can't seem to find a good tutorial or anything on reading the log to figure out exactly what was triggered, and then how to adjust the rule or the OWASP config files to allow what I want..?? Any information on this would be greatly appreciated. Thanks!

• 

  angelleye

  • June 09, 2015 19:02

  Here's another example I could use some help with. Running WordPress, any time I try to use the Empty Spam button from within comment spam it gets caught by OWASP thinking it's a SQL Injection attempt and redirects me to the home page. I've been deleting my spam through my database directly instead, but it would sure be nice to figure out how to adjust this rule so that stops happening. This is the request that it grabbed.
  GET/wp-admin/edit-comments.php?s=&comment_status=spam&pagegen_timestamp=2015-06-09+16%3A20%3A27&_total=100&_per_page=20&_page=1&_ajax_fetch_list_nonce=a5debd75aa&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam&_wpnonce=c4352c54a3&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam&action=-1&comment_type=&_destroy_nonce=35e83c0444&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam&delete_all=Empty+Spam&paged=1&action2=-1&_destroy_nonce=35e83c0444&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam
  And the justification shows a regular expression pattern match...
  Pattern match "(?i:([\\s'\"`\\(\\)]*?)([\\d\\w]++)([\\s'\"`\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\\(\\)]*?)(?!\\2)([\\d\\w]+)))" at ARGS:_wp_http_referer.
  I guess it's because the first parameter on the querystring is just an s..??

  0
• 

  Infopro

  • June 09, 2015 19:03

  Click the Rule ID on right side of page. The next page that opens has an option to disable. Please be sure to take the extra moment to report this as well. On the Tools page right of the Rule ID is an arrow to expand that block to find the "Report this Hit" button.

  0
• 

  angelleye

  • June 09, 2015 19:07

  Click the Rule ID on right side of page. The next page that opens has an option to disable. Please be sure to take the extra moment to report this as well. On the Tools page right of the Rule ID is an arrow to expand that block to find the "Report this Hit" button.

  
  When I click on the Rule ID it opens up a details page where it shows me the rule, and I do see a check box in there that's checked for "Enable Rule". Is this what you're talking about? If I uncheck that box here does it disable the entire rule the same as if I turned it off from the ModSecurity Vendors list, or would this only disable blocking traffic that matches the one particular log I clicked on??

  0
• 

  Infopro

  • June 09, 2015 19:35

  Let me link you to the actual docs on this:

  0
• 

  angelleye

  • June 10, 2015 04:39

  Let me link you to the actual docs on this:

  0
• 

  Infopro

  • June 10, 2015 04:59

  Correct. You should also know that you might be doing quite a bit of this, tweaking the rules to fit your server. GL!

  0
• 

  keat63

  • June 10, 2015 09:39

  I've had to disable about 6 rules for what i believe to be false positives. Documentation on what each rule does is non existent. And I found that any documentation which does exists makes little or no sense. I'm now of the mind set, that the remaining rules should hopefully be giving me some protection, and some is better than none.

  0
• 

  angelleye

  • June 10, 2015 09:44

  I've had my rules all cranked up here so far and I'm seeing lots of hits in the ModSecurity Tools log, but they all look like stuff I'd want blocked. What sort of requests were you getting that were triggering rules you had to disable?

  0
• 

  keat63

  • June 10, 2015 13:33

  I really don't know to be honest, it was about 3 months ago. I did pickup that GoogleBot was causing at least 2, even found that Google WebMasterTools was reporting my web sites down. I've just looked and i have disabled 960008, 960009, 960015, & 981138, but these might not work for your setup.

  0
• 

  Infopro

  • June 10, 2015 13:58

  What sort of requests were you getting that were triggering rules you had to disable?

  
  If you run WHMCS, open settings page, and then click save. If you run a wordpress, xenforo forum or anything similar, open up your settings page and click save. As a only few examples of where your legit action might get blocked by ModSec. If something on your site no longer works, check ModSec Tools to see if this is why.

  0

Please sign in to leave a comment.