custom_regex / mod_sec Trigger not working
Posted: 24 Jun 2016, 16:51
Dear Support,
i have multiple Servers, all with CSF/LFD + CXS working on Cpanel.
After Updating the Mod_security LF_MODSEC Trigger no longer working (no IP ban on configured Trigger)
I have CPANEL/WHM, 56.0 Build 24 on CENTOS 6.8 x86_64 running on Servers.
I use classic Apache/2.4.18 compiled with EasyApache3 under CP.
I run common Atomicorp Modsec Rules Subscriptions on Servers.
In classic csf/lfd install all Servers will not detect LF_MODSEC Triggers (i think related regex used for csf in general)
Here a example of error log modsec:
[Fri Jun 24 14:57:32.514712 2016] [:error] [pid 273192] [client xx.xx.xx.xx:36203] [client xx.xx.xx.xx] ModSecurity: [file "/usr/local/apache/modsecurity.d/10_asl_rules.conf"] [line "200"] [id "340006"] [rev "68"] [msg "Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:bc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\\\.\\\\./\\\\.\\\\./" at ARGS:bc. [hostname "domainname.xyz"] [uri "/data/"] [unique_id "V20uPKwXIwIABCsob2sAAAAP"]
I have configured that if a modsec triggered 3 times -> ip shoud be banned. But nothing happens.
Until yesterday my Little custom regex working allways fine:
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\]) \[client (\S+)\] \[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? .*Access denied/)) {
my $ip = $5;
my $acc = "";
$ip =~ s/^::ffff://;
if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
my $ruleid = "unknown";
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc","mod_security")} else {return}
}
But now no longer works on all Servers and i find no solution ;(
I also tried other custom regex - no luck, the ip's not beeing banned once the Trigger Count should be reached.
Is it possible to download the 8.26 csf Version somethere ? That worked fine i need a fast solution because multiple Servers Impact to this.
Best Regards
i have multiple Servers, all with CSF/LFD + CXS working on Cpanel.
After Updating the Mod_security LF_MODSEC Trigger no longer working (no IP ban on configured Trigger)
I have CPANEL/WHM, 56.0 Build 24 on CENTOS 6.8 x86_64 running on Servers.
I use classic Apache/2.4.18 compiled with EasyApache3 under CP.
I run common Atomicorp Modsec Rules Subscriptions on Servers.
In classic csf/lfd install all Servers will not detect LF_MODSEC Triggers (i think related regex used for csf in general)
Here a example of error log modsec:
[Fri Jun 24 14:57:32.514712 2016] [:error] [pid 273192] [client xx.xx.xx.xx:36203] [client xx.xx.xx.xx] ModSecurity: [file "/usr/local/apache/modsecurity.d/10_asl_rules.conf"] [line "200"] [id "340006"] [rev "68"] [msg "Atomicorp.com WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:bc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\\\.\\\\./\\\\.\\\\./" at ARGS:bc. [hostname "domainname.xyz"] [uri "/data/"] [unique_id "V20uPKwXIwIABCsob2sAAAAP"]
I have configured that if a modsec triggered 3 times -> ip shoud be banned. But nothing happens.
Until yesterday my Little custom regex working allways fine:
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\]) \[client (\S+)\] \[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? .*Access denied/)) {
my $ip = $5;
my $acc = "";
$ip =~ s/^::ffff://;
if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
my $ruleid = "unknown";
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc","mod_security")} else {return}
}
But now no longer works on all Servers and i find no solution ;(
I also tried other custom regex - no luck, the ip's not beeing banned once the Trigger Count should be reached.
Is it possible to download the 8.26 csf Version somethere ? That worked fine i need a fast solution because multiple Servers Impact to this.
Best Regards
