Help understanding and blocking rules

[Brad]

Hi, I've setup a new cpanel server woth mod security enabled. I see some hits below, are these actually being "blocked" or only reported on?

Usually I'd see ModSecurity: Access Denied in the log if it was blocked, however for the below I'm only seeing ModSecurity: Warning, would appreciate any help.

Thanks

[Wed Sep 19 08:18:05.298993 2018] [:error] [pid 82247:tid 139900061951744] [client 36.25.122.153:57249] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:0. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "78"] [id "933130"] [rev "2"] [msg "PHP Injection Attack: Variables Found"] [data "Matched Data: $_POST found within ARGS:0: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/data/cache/asd.php"] [unique_id "W6F5nQe-@P27yBBM61qBsQAAABE"], referer: http://myhostname.com//data/cache/asd.php
[Wed Sep 19 08:18:05.299199 2018] [:error] [pid 82247:tid 139900061951744] [client 36.25.122.153:57249] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "base64_decode" at ARGS:0. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "145"] [id "933150"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:0: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/data/cache/asd.php"] [unique_id "W6F5nQe-@P27yBBM61qBsQAAABE"], referer: http://myhostname.com//data/cache/asd.php
[Wed Sep 19 08:18:05.299995 2018] [:error] [pid 82247:tid 139900061951744] [client 36.25.122.153:57249] [client 36.25.122.153] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| ..." at ARGS:0. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "174"] [id "933160"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: eval                                                             (base64_decode($_POST[z0])) found within ARGS:0: @                                                 eval                                                             (base64_decode($_POST[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/data/cache/asd.php"] [unique_id "W6F5nQe-@P27yBBM61qBsQAAABE"], referer: http://myhostname.com//data/cache/asd.php
[Wed Sep 19 08:18:18.074416 2018] [:error] [pid 82351:tid 139900162664192] [client 36.25.122.153:61405] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:qazw. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "78"] [id "933130"] [rev "2"] [msg "PHP Injection Attack: Variables Found"] [data "Matched Data: $_POST found within ARGS:qazw: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/plus/result.php"] [unique_id "W6F5qcEiUp2rnlmdNYmW6gAAAUU"], referer: http://myhostname.com//plus/result.php
[Wed Sep 19 08:18:18.074577 2018] [:error] [pid 82351:tid 139900162664192] [client 36.25.122.153:61405] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "base64_decode" at ARGS:qazw. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "145"] [id "933150"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:qazw: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/plus/result.php"] [unique_id "W6F5qcEiUp2rnlmdNYmW6gAAAUU"], referer: http://myhostname.com//plus/result.php
[Wed Sep 19 08:18:18.074814 2018] [:error] [pid 82351:tid 139900162664192] [client 36.25.122.153:61405] [client 36.25.122.153] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| ..." at ARGS:qazw. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "174"] [id "933160"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: eval                                                             (base64_decode($_POST[z0])) found within ARGS:qazw: @                                                 eval                                                             (base64_decode($_POST[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A [hostname "myhostname.com"] [uri "/plus/result.php"] [unique_id "W6F5qcEiUp2rnlmdNYmW6gAAAUU"], referer: http://myhostname.com//plus/result.php
[Wed Sep 19 08:18:32.311853 2018] [:error] [pid 82207:tid 139900120700672] [client 36.25.122.153:65506] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:x. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "78"] [id "933130"] [rev "2"] [msg "PHP Injection Attack: Variables Found"] [data "Matched Data: $_POST found within ARGS:x: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/plus/read.php"] [unique_id "W6F5uEJJb3kx@bPoiiQAwQAAAIo"], referer: http://myhostname.com//plus/read.php
[Wed Sep 19 08:18:32.312034 2018] [:error] [pid 82207:tid 139900120700672] [client 36.25.122.153:65506] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "base64_decode" at ARGS:x. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "145"] [id "933150"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:x: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/plus/read.php"] [unique_id "W6F5uEJJb3kx@bPoiiQAwQAAAIo"], referer: http://myhostname.com//plus/read.php
[Wed Sep 19 08:18:32.312203 2018] [:error] [pid 82207:tid 139900120700672] [client 36.25.122.153:65506] [client 36.25.122.153] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| ..." at ARGS:x. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "174"] [id "933160"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: eval                                                             (base64_decode($_POST[z0])) found within ARGS:x: @                                                 eval                                                             (base64_decode($_POST[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/plus/read.php"] [unique_id "W6F5uEJJb3kx@bPoiiQAwQAAAIo"], referer: http://myhostname.com//plus/read.php
[Wed Sep 19 08:18:46.076698 2018] [:error] [pid 82290:tid 139900171056896] [client 36.25.122.153:54550] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:x. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "78"] [id "933130"] [rev "2"] [msg "PHP Injection Attack: Variables Found"] [data "Matched Data: $_POST found within ARGS:x: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/data/cache/flye.php"] [unique_id "W6F5xZGXQyhdsT4AlaFcEQAAAMQ"], referer: http://myhostname.com//data/cache/flye.php
[Wed Sep 19 08:18:46.076819 2018] [:error] [pid 82290:tid 139900171056896] [client 36.25.122.153:54550] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "base64_decode" at ARGS:x. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "145"] [id "933150"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:x: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/data/cache/flye.php"] [unique_id "W6F5xZGXQyhdsT4AlaFcEQAAAMQ"], referer: http://myhostname.com//data/cache/flye.php
[Wed Sep 19 08:18:46.077112 2018] [:error] [pid 82290:tid 139900171056896] [client 36.25.122.153:54550] [client 36.25.122.153] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| ..." at ARGS:x. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "174"] [id "933160"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: eval                                                             (base64_decode($_POST[z0])) found within ARGS:x: @                                                 eval                                                             (base64_decode($_POST[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/data/cache/flye.php"] [unique_id "W6F5xZGXQyhdsT4AlaFcEQAAAMQ"], referer: http://myhostname.com//data/cache/flye.php
[Wed Sep 19 08:19:05.282229 2018] [:error] [pid 82351:tid 139900061951744] [client 36.25.122.153:61227] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "$_POST" at ARGS:fuck. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "78"] [id "933130"] [rev "2"] [msg "PHP Injection Attack: Variables Found"] [data "Matched Data: $_POST found within ARGS:fuck: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/fuck.php"] [unique_id "W6F52cEiUp2rnlmdNYmW9gAAAVE"], referer: http://myhostname.com//fuck.php
[Wed Sep 19 08:19:05.282423 2018] [:error] [pid 82351:tid 139900061951744] [client 36.25.122.153:61227] [client 36.25.122.153] ModSecurity: Warning. Matched phrase "base64_decode" at ARGS:fuck. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "145"] [id "933150"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Name Found"] [data "Matched Data: base64_decode found within ARGS:fuck: @                                                 eval                                                             (base64_decode($_post[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "myhostname.com"] [uri "/fuck.php"] [unique_id "W6F52cEiUp2rnlmdNYmW9gAAAVE"], referer: http://myhostname.com//fuck.php
[Wed Sep 19 08:19:05.282608 2018] [:error] [pid 82351:tid 139900061951744] [client 36.25.122.153:61227] [client 36.25.122.153] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| ..." at ARGS:fuck. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "174"] [id "933160"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: eval                                                             (base64_decode($_POST[z0])) found within ARGS:fuck: @                                                 eval                                                             (base64_decode($_POST[z0]));"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A [hostname "myhostname.com"] [uri "/fuck.php"] [unique_id "W6F52cEiUp2rnlmdNYmW9gAAAVE"], referer: http://myhostname.com//fuck.php
[Wed Sep 19 08:19:23.570461 2018] [:error] [pid 82351:tid 139900019988224] [client 36.25.122.153:65218] [client 36.25.122.153] ModSecurity: Warning. Pattern match "(?i)\\\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create| ..." at ARGS:a. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "174"] [id "933160"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: chr(&H\\x22\\x22\\x22\\x22&c&\\x22\\x22\\x22\\x22)\\x22\\x22\\x22\\x22):Else:Execute(\\x22\\x22\\x22\\x22bd=bd&chr(&H\\x22\\x22\\x22\\x22&c&Mid(s,i+2,2)&\\x22\\x22\\x22\\x22)\\x22\\x22\\x22\\x22):i=i+2:End If\\x22\\x22&chr(10)&\\x22\\x22Next:End Function:Response.Write(\\x22\\x22\\x22\\x22->|\\x22\\x22\\x22\\x22):                    Execute                              (\\x22\\x22\\x22\\x22On Error Resume Next:\\x22\\x22\\x22\\x22&bd(\\x22\\x22\\x22\\x22526573706F6E73652E5772697465282268616F72656E67652E636F6D51513331373237353733382229\\x22\\x2..."] [se [hostname "myhostname.com"] [uri "/inc/config.asp"] [unique_id "W6F56MEiUp2rnlmdNYmW@AAAAVY"], referer: http://myhostname.com//inc/config.asp

[Brad]

anyone

[Victor Hora]

Hi,

Make sure that your SecRuleEngine
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRuleEngine
directive
is set to "on". If it's "DetectionOnly" or "off" you will only get warnings.

I haven't gone through all of your logs, but the way that the OWASP CRS
works by default is using the approach of "delayed blocking", meaning that
a number of rules can match and only cause warnings, but each rule that
match gets added to a score. After all the rules are evaluated the final
score is checked and if above a certain threshold you would get a block,
otherwise it would be just warnings...

I suggest you to go over the INSTALL
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL
doc for OWASP CRS to understand how it works and how to tune it if you need.

Cheers

On Thu, Sep 20, 2018 at 6:45 PM Brad z714x4@users.sourceforge.net wrote:

anyone

Help understanding and blocking rules
https://sourceforge.net/p/mod-security/discussion/1298046/thread/149d39be/?limit=25#d798

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/mod-security/discussion/1298046/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

--

Victor Ribeiro Hora

[Brad]

Thanks Victor for the reply, I've now changed the behaviour to "traditional" and seeing the exptected results.

Cheers