|
From: Christian F. <chr...@ne...> - 2018-01-29 14:24:05
|
Hi Stefan, Welcome to the ModSecurity mailinglist. It's nice to see familiar faces from Apache Dev on this list too. This rings a bell, but I can't find the issue / pull request in question on the quick. There was a rule that did not log properly. Not sure if this made it into 3.0.2 (-> 3.0/master). Could you try the request in question on 3.1/dev and see if you have the proper alert? Best, Christian On Mon, Jan 29, 2018 at 02:22:58PM +0100, Stefan Priebe - Profihost AG wrote: > Hello, > > i'm running mod_security 2.9.2 with current crs git master > (v3.0/master). I've some requests where no matching rule is logged to > the audit log except Operator GE matched 5 at TX:anomaly_score ... and > Operator GE matched 5 at TX:inbound_anomaly_score. Any ideas how to find > out why the anomaly score is > 0 > > Full log: > --2add8d70-A-- > [29/Jan/2018:13:53:21 +0100] Wm8ZQY0z4w0DYRA6xm2k3QAAAA8 1.2.3.4 41438 > 1.2.3.5 443 > --2add8d70-B-- > GET > /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.de%2Fwp-admin%2F&reauth=1 > HTTP/2.0 > Pragma: no-cache > Cache-Control: no-cache > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, > like Gecko) Ubuntu Chromium/63.0.3239.132 Chrome/63.0.3239.132 Safari/537.36 > Upgrade-Insecure-Requests: 1 > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 > Accept-Encoding: gzip, deflate, br > Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 > Cookie: PHPSESSID=u4o0fs52l0j3bot1m8j4pjgsd3 > Host: www.mydomain.de > > --2add8d70-F-- > HTTP/1.1 409 Conflict > Content-Length: 505 > Content-Type: text/html; charset=iso-8859-1 > > --2add8d70-E-- > > --2add8d70-H-- > Message: Access denied with code 409 (phase 2). Operator GE matched 5 at > TX:anomaly_score. [file > "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total > Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-generic"] > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. > [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] > [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total > Inbound Score: 10 - > SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "] [tag > "event-correlation"] > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client > 1.2.3.4] ModSecurity: Access denied with code 409 (phase 2). Operator GE > matched 5 at TX:anomaly_score. [file > "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total > Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag > "language-multi"] [tag "platform-multi"] [tag "attack-generic"] > [hostname "www.mydomain.de"] [uri "/wp-login.php"] [unique_id > "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"] > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client > 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at > TX:inbound_anomaly_score. [file > "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line > "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound > Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): "] > [tag "event-correlation"] [hostname "www.mydomain.de"] [uri > "/wp-login.php"] [unique_id "Wm8ZQY0z4w0DYRA6xm2k3QAAAA8"] > Action: Intercepted (phase 2) > Apache-Handler: php-fastcgi5.6 > Stopwatch: 1517230401011338 4605 (- - -) > Stopwatch2: 1517230401011338 4605; combined=3476, p1=296, p2=3080, p3=0, > p4=0, p5=100, sr=57, sw=0, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); > OWASP_CRS/3.0.2. > Server: Apache > Engine-Mode: "ENABLED" > > --2add8d70-Z-- > > > Greets, > Stefan > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
