Page 1 of 1

LFD do not recognize matching rule from Imunify360

Posted: 15 Mar 2020, 22:03
by dannato
Hello,
LFD do NOT recognize matching mod_security rules from Imunify.

We tested with many imunify rules with LF_MODSEC directive and DEBUG directive enabled in csf.conf.

Imunify mod_security rules are not counted neither ignored.

Tested with:

Imunify 4.5.6-1
CloudLinux 7.7
cPanel 11.84
CSF 14.02

Example.
In csf.conf
LF_TRIGGER= "0"
LF_MODSEC= "10"
LF_MODSEC_PERM= "1"

Our custom rule matched:
lfd[3772307]: debug: mod_security (id:5012300324) triggered by x.x.x.x - 3 failure(s) in the last 60 secs

Imunify rule unmatched by lfd:
[Sun Mar 15 22:59:55.110784 2020] [:error] [pid 3673669:tid xxxxxx] [client x.x.x.x:11051] [client x.x.x.x] ModSecurity: Warning. Match of "rx ^$" against "ARGS_POST:log" required. [file "/etc/apache2/conf.d/modsec_vendo
r_configs/imunify360-full-apache/002_i360_2_bruteforce.conf"] [line "24"] [id "33332"] [rev "1"] [msg "WordPress login attempt||www.xxxx.xxx||MTD:xxxx||LOG:admin"] [severity "WARNING"] [maturity "1"] [tag "bruteforce"] [t
ag "i360"] [tag "noshow"] [hostname "www.xxxx.xxx"] [uri "/wp-login.php"] [unique_id "Xm6lWxUkMpjbUhIn4B8f4AAABE0"], referer: http://www.xxxx.xxx/wp-login.php

In lfd.log no entry about this event. In debug mode no entry also about counting that rule.

Waiting for your reply

Regards