csf does not block modsecurity hits
Posted: 06 Feb 2022, 14:50
Hi,
I have some entries in apache log but csf do not want block it.
my csf setup is:
LF_MODSEC =1
LF_MODSEC_PERM=1
an example of hit:
[Sun Feb 06 15:19:31.126757 2022] [:error] [pid 2245461:tid 47937809155840] [client XX.XX.XX.XX:0]
[client XX.XX.XX.XX] ModSecurity: Warning.
Pattern match "\\\\$+(?:[a-zA-Z_\\\\x7f-\\\\xff][a-zA-Z0-9_\\\\x7f-\\\\xff]*|\\\\s*{.+})(?:\\\\s|\\\\[.+\\\\]|{.+}|/\\\\*.*\\\\*/|//.*|#.*)*\\\\(.*\\\\)"
at ARGS:trend_format[ftype0]. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "248"] [id "933180"] [rev "1"]
[msg "PHP Injection Attack: Variable Function Call Found"] [data "Matched Data: $s (%2$s) found within ARGS:trend_format[ftype0]: %1$s %3$s (%2$s)"] [severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "7"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"]
[tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "www.example.com"] [uri "/wp-admin/admin-ajax.php"]
[unique_id "Yf_Y8-eOiG3YT05-CTDi-wAAAAU"], referer: https://www.example.com/page/
how can i fox it?
I have some entries in apache log but csf do not want block it.
my csf setup is:
LF_MODSEC =1
LF_MODSEC_PERM=1
an example of hit:
[Sun Feb 06 15:19:31.126757 2022] [:error] [pid 2245461:tid 47937809155840] [client XX.XX.XX.XX:0]
[client XX.XX.XX.XX] ModSecurity: Warning.
Pattern match "\\\\$+(?:[a-zA-Z_\\\\x7f-\\\\xff][a-zA-Z0-9_\\\\x7f-\\\\xff]*|\\\\s*{.+})(?:\\\\s|\\\\[.+\\\\]|{.+}|/\\\\*.*\\\\*/|//.*|#.*)*\\\\(.*\\\\)"
at ARGS:trend_format[ftype0]. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "248"] [id "933180"] [rev "1"]
[msg "PHP Injection Attack: Variable Function Call Found"] [data "Matched Data: $s (%2$s) found within ARGS:trend_format[ftype0]: %1$s %3$s (%2$s)"] [severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "7"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"]
[tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "www.example.com"] [uri "/wp-admin/admin-ajax.php"]
[unique_id "Yf_Y8-eOiG3YT05-CTDi-wAAAAU"], referer: https://www.example.com/page/
how can i fox it?