fuzzylogic

1. Community
2. Security
3. Is anyone good with CSF custom regex ?

Two requests. Could you post the full line of that log message? (anonymizing IP, username or host name) Knowing the date, time formats, number of spaces etc. before the word "Dropping" allows for ...

• View comment
• fuzzylogic
• April 08, 2018 04:20
• 0 votes

1. Community
2. Security
3. Drupal core - Remote Code Execution - SA-CORE-2018-002 modsec rules

Just found a new SA-CORE-2018-004 / CVE-2018-7602 poc by alexandrezfs on github. Both 3313 and 3297 matched the first request of the poc. The second request was a non match for those rules but also...

• View comment
• fuzzylogic
• April 27, 2018 10:39
• 0 votes

1. Community
2. Security
3. Drupal core - Remote Code Execution - SA-CORE-2018-002 modsec rules

I have just finished testing these rules against the requests suggested by dreadlocked on twitter with poc by Blaklis on pastbin exploiting SA-CORE-2018-004 / CVE-2018-7602. GENERIC rule 3312 matc...

• View comment
• fuzzylogic
• April 27, 2018 05:00
• 0 votes

1. Community
2. Security
3. Drupal core - Remote Code Execution - SA-CORE-2018-002 modsec rules

Here is another update to these rules. I noticed on another website a user reporting attack traffic using Content-Type multipart/form-data and using a file field to pass the exploit data... --9a3c9...

• View comment
• fuzzylogic
• April 16, 2018 06:06
• 0 votes

1. Community
2. Security
3. Drupal core - Remote Code Execution - SA-CORE-2018-002 modsec rules

Just as an update (or heads up) to this thread, a Proof of Concept exploiting this vulnerability was published 2 days ago. Automated attacks began within a few hours of that. After checking the 2 ...

• View comment
• fuzzylogic
• April 14, 2018 04:07
• 0 votes

1. Community
2. Security
3. Which user account got IP blacklisted?

It sounds like you want to log the user account in the deny list record comment. I don't know how to do that. If you just want to find out which account name was used to add an ip to the block lis...

• View comment
• fuzzylogic
• March 28, 2018 11:05
• 0 votes

1. Community
2. Security
3. problem with uploading an eicar test file on the server

I suggest you investigate Configserver Exploit Scanner (CXS). It is a paid third party WHM Plugin that does an excellent job at upload scanning. (As well as other good things) It uses a modsecurity...

• View comment
• fuzzylogic
• March 23, 2018 23:01
• 0 votes

1. Community
2. Security
3. Can't publish new custom mod_sec rule

I think your chained rule is not saving due to syntax error. The error is the "chain" in the last clause. It should not be there. Modsec assumes you want to chain the next rule that it reads after...

• View comment
• fuzzylogic
• February 21, 2018 03:18
• 0 votes

1. Community
2. Security
3. Blocking an IP by accessed url

@jeffschips Mod-security is an efficient HTTP request parser. It is designed to run in the Apache process of a single request, block or allow the request, then log what happened then exit as the p...

• View comment
• fuzzylogic
• August 11, 2019 07:04
• 0 votes

1. Community
2. Security
3. Blocking an IP by accessed url

I have received similar emails about uploads to /wp-content/plugins/dzs-videogallery/upload.php being quarantined. In the subject line of the emails is cxs Scan on... In the body of the email is Qu...

• View comment
• fuzzylogic
• January 24, 2018 23:11
• 0 votes