Any reason why modsec rules not being blocked anymore?

[sahostking]

Hi all,

Weird one I noticed today is that none of my mod security rules are being blocked anymore? I have LF_MODSEC set to 3. Is there something else I'm missing?

For eg.

[Mon Sep 29 16:14:09.069556 2014] [:error] [pid 982245:tid 140548245526272] [client 96.47.226.20] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\\\sexec\\\\s+xp_cmdshell)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?!\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`\\xc2\\xb4\\xe2 ..." at ARGS:cat. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "335"] [id "211650"] [msg "COMODO WAF: Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union all select found within ARGS 4 union all select null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(115)||chr(113)||chr(108)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110),null--"] [severity "CRITICAL"] [hostname "domainname"] [uri "/"] [unique_id "VClpMcXyRKIADvzltNEAAAAG"]
[Mon Sep 29 16:14:11.747844 2014] [:error] [pid 982245:tid 140548140627712] [client 96.47.226.20] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\\\sexec\\\\s+xp_cmdshell)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?!\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`\\xc2\\xb4\\xe2 ..." at ARGS:cat. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "335"] [id "211650"] [msg "COMODO WAF: Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union all select found within ARGS 4 union all select null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(115)||chr(113)||chr(108)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110)--"] [severity "CRITICAL"] [hostname "domainname"] [uri "/"] [unique_id "VClpM8XyRKIADvzltNIAAAAQ"]
[Mon Sep 29 16:14:13.762123 2014] [:error] [pid 982173:tid 140548088178432] [client 96.47.226.20] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\\\sexec\\\\s+xp_cmdshell)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?!\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`\\xc2\\xb4\\xe2 ..." at ARGS:cat. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "335"] [id "211650"] [msg "COMODO WAF: Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union all select found within ARGS 4 union all select chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(115)||chr(113)||chr(108)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--"] [severity "CRITICAL"] [hostname "domainname"] [uri "/"] [unique_id "VClpNcXyRKIADvyd5U0AAAIV"]
[Mon Sep 29 16:14:16.620415 2014] [:error] [pid 982279:tid 140548193076992] [client 96.47.226.20] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\\\sexec\\\\s+xp_cmdshell)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?!\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\w])|(?:from\\\\W+information_schema\\\\W)|(?:(?:(?:current_)?user|database|schema|connection_id)\\\\s*?\\\\([^\\\\)]*?)|(?:[\\"'`\\xc2\\xb4\\xe2 ..." at ARGS:cat. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "335"] [id "211650"] [msg "COMODO WAF: Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union all select found within ARGS 4 union all select null,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(115)||chr(113)||chr(108)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--"] [severity "CRITICAL"] [hostname "domainname"] [uri "/"] [unique_id "VClpOMXyRKIADv0HeX8AAAFL"]

[ForumAdmin]

I just tried those log lines on our test server and it worked just fine:

Sep 29 15:24:45 homer lfd[817301]: debug: mod_security (id:211650) triggered by 96.47.226.20 - 1 failure(s) in the last 3600 secs
Sep 29 15:24:45 homer lfd[817301]: debug: mod_security (id:211650) triggered by 96.47.226.20 - 2 failure(s) in the last 3600 secs
Sep 29 15:24:45 homer lfd[817301]: debug: mod_security (id:211650) triggered by 96.47.226.20 - 3 failure(s) in the last 3600 secs
Sep 29 15:24:45 homer lfd[982514]: (mod_security) mod_security (id:211650) triggered by 96.47.226.20 (A1/Anonymous Proxy/-/-/bolobolo1.torservers.net): 3 in the last 3600 secs - *Blocked in csf* for 666 secs [LF_MODSEC]

Make sure you have MODSEC_LOG pointing to your Apache error_log file and check /var/log/lfd.log for errors.

[sahostking]

Thanks you are absolutely right.

Had to change modsec_log = /etc/httpd/logs/error_log

Now it's blocking them nicely.

Yippee