atomic rules

These forums are not for questions about ModSecurity, just the cmc script itself
Post Reply
dev2
Junior Member
Posts: 9
Joined: 21 Nov 2018, 16:51

atomic rules

Post by dev2 »

Hello,

I have been running these delayed atomic rule sets for some time. I have found out that atomic rule sets are working if I review Mod_security tools. I see Critical messages. I am aware that CSF does not block warnings. In my case Critical notices are not blocking IPs in the CSF firewall. I have checked the rule (331032) severity is set to 5.

I'm at a loss here and wondering if anyone else is having problems blocking IP addresses in CSF triggered by atomic rules? Or anyone can guide me. I pretty much want to block all IPs that are seen in mod_sec tools (cPanel).

Thanks for any help. Also, how can I get help from configserver to login and see what is going on, since I cannot figure it out?
Jerry
Sergio
Junior Member
Posts: 1603
Joined: 12 Dec 2006, 14:56

Re: atomic rules

Post by Sergio »

Take a look at this post:
viewtopic.php?t=12529

In there I shared one of my CSF rules that blocks IPs accordingly to the Mod_Security rule that was triggered.

Take a look and tell if that works for you.

Sergio
dev2
Junior Member
Posts: 9
Joined: 21 Nov 2018, 16:51

Re: atomic rules

Post by dev2 »

Hi Sergio,

I have a few weird things going on, that appear un-predictable.

I think the first thing I need to figure out is how to write a regex rule that blocks mod_sec "Warnings" as noted in cPanel mod_sec tools. I read that you have a regex for this and I need to pay for it (I am useless at regex code). I am happy to do so and perhaps we could hire you to check our setup. It looks as if private messaging is disabled here, so can you reach out to me?

The other rule you posted a link to is failing during upload.

CXS uploads are being blocked by mod_sec. They keep trying due to IP not being blocked, even though I have it set correctly. Should mod_sec not block the offending IP first time of a malware upload?

Please ping me so we can setup your services if possible?

Jerry
dev2
Junior Member
Posts: 9
Joined: 21 Nov 2018, 16:51

Re: atomic rules

Post by dev2 »

I am not sure if I have done the right thing. I figured the rule you mentioned above is a CSF Regex and not a mod_security rule. I have added it to the CSF Custom Regex area like this:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(930130|949110)"\]/i)) {
return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
}

The intent is to have mod_sec block IPs that attack using these rules: 930130|949110

I see the attacker getting stopped, but their IPs are still not getting blocked.

LF_MODSEC = "3"
LF_MODSEC_PERM = "1"


This is not working for us either:
LF_CXS = "1"
LF_CXS_PERM = "1"

Centos7/ cPanel/ Modsec2/ CSF/ CXS
Sergio
Junior Member
Posts: 1603
Joined: 12 Dec 2006, 14:56

Re: atomic rules

Post by Sergio »

Have you set CUSTOM1_LOG inside CSF?

Sergio
dev2
Junior Member
Posts: 9
Joined: 21 Nov 2018, 16:51

Re: atomic rules

Post by dev2 »

Yes- have I done it wrong?
CUSTOM1_LOG = "/usr/local/apache/domlogs/*/*"
dev2
Junior Member
Posts: 9
Joined: 21 Nov 2018, 16:51

Re: atomic rules

Post by dev2 »

HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/etc/apache2/logs/modsec_audit.log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
SUDO_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/exim_mainlog"
SMTPRELAY_LOG = "/var/log/exim_mainlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
CPANEL_ACCESSLOG = "/usr/local/cpanel/logs/access_log"
SCRIPT_LOG = "/var/log/exim_mainlog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/secure"

CUSTOM1_LOG = "/usr/local/apache/domlogs/*/*"
CUSTOM2_LOG = "/var/log/exim_rejectlog"
CUSTOM3_LOG = "/usr/local/cpanel/logs/access_log"
CUSTOM4_LOG = "/etc/apache2/logs/error_log"
CUSTOM5_LOG = "/usr/local/apache/logs/modsec_audit.log"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"
Sergio
Junior Member
Posts: 1603
Joined: 12 Dec 2006, 14:56

Re: atomic rules

Post by Sergio »

I will need at least one log line from that file to test the REGEX rule.
dev2
Junior Member
Posts: 9
Joined: 21 Nov 2018, 16:51

Re: atomic rules

Post by dev2 »

Hi Sergio, a very big thank you for helping me out. Now it makes sense!
AND for introducing me to https://regex101.com/ Off I go to start learning more about regex.
Sergio
Junior Member
Posts: 1603
Joined: 12 Dec 2006, 14:56

Re: atomic rules

Post by Sergio »

You are welcome.

I really like CSF FireWall.
Post Reply