custom_regex / mod_sec Trigger not working

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
m7000
Junior Member
Posts: 4
Joined: 04 May 2016, 12:23

custom_regex / mod_sec Trigger not working

Post by m7000 »

Dear Support,

i have multiple Servers, all with CSF/LFD + CXS working on Cpanel.
After Updating the Mod_security LF_MODSEC Trigger no longer working (no IP ban on configured Trigger)

I have CPANEL/WHM, 56.0 Build 24 on CENTOS 6.8 x86_64 running on Servers.
I use classic Apache/2.4.18 compiled with EasyApache3 under CP.
I run common Atomicorp Modsec Rules Subscriptions on Servers.

In classic csf/lfd install all Servers will not detect LF_MODSEC Triggers (i think related regex used for csf in general)
Here a example of error log modsec:

[Fri Jun 24 14:57:32.514712 2016] [:error] [pid 273192] [client xx.xx.xx.xx:36203] [client xx.xx.xx.xx] ModSecurity: [file "/usr/local/apache/modsecurity.d/10_asl_rules.conf"] [line "200"] [id "340006"] [rev "68"] [msg "Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:bc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\\\.\\\\./\\\\.\\\\./" at ARGS:bc. [hostname "domainname.xyz"] [uri "/data/"] [unique_id "V20uPKwXIwIABCsob2sAAAAP"]

I have configured that if a modsec triggered 3 times -> ip shoud be banned. But nothing happens.
Until yesterday my Little custom regex working allways fine:

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\]) \[client (\S+)\] \[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? .*Access denied/)) {
my $ip = $5;
my $acc = "";
$ip =~ s/^::ffff://;
if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
my $ruleid = "unknown";
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc","mod_security")} else {return}
}


But now no longer works on all Servers and i find no solution ;(
I also tried other custom regex - no luck, the ip's not beeing banned once the Trigger Count should be reached.

Is it possible to download the 8.26 csf Version somethere ? That worked fine i need a fast solution because multiple Servers Impact to this.

Best Regards
marcele
Junior Member
Posts: 215
Joined: 17 Sep 2007, 17:02

Re: custom_regex / mod_sec Trigger not working

Post by marcele »

I can confirm that CSF 9.X breaks custom login triggers in regex.custom.pm

For reference:

Code: Select all

if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^(\S+) \S+ \S+ \[[^:]+:\d+:\d+:\d+ [^\]]+\] \"\S+ .*? \S+\" \S+ \S+ ".*" "(?i)(.*(?:|Xenu|Yandex|Yeti).*)"$/)) {
    return ("Failed apache-useragents trigger with match [$2] from",$1,"apache-useragents","1","80,443","1");
}
Matching regex
https://regex101.com/r/eI9qN6/1

After upgrade from csf: v8.26 (generic) to csf: v9.03 (generic) these custom regex no longer work.
Last edited by marcele on 24 Jun 2016, 18:24, edited 1 time in total.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: custom_regex / mod_sec Trigger not working

Post by ForumAdmin »

We have just released csf v9.04 that should provide a fix for this:
http://blog.configserver.com/
marcele
Junior Member
Posts: 215
Joined: 17 Sep 2007, 17:02

Re: custom_regex / mod_sec Trigger not working

Post by marcele »

Thanks for the quick fix. Great work as always :)
m7000
Junior Member
Posts: 4
Joined: 04 May 2016, 12:23

Re: custom_regex / mod_sec Trigger not working

Post by m7000 »

Confirming now works fine again - many thanks for the quick fix !! :)
Post Reply