Any regex experts here? False positives CPanel mod_security

Get answers here.

Moderators: BBear, theunknownhost, flaguy

Post Reply
User avatar
Sapphyre
Official Test Penquin
Posts: 3337
Joined: Tue Nov 19, 2002 2:50 am
Location: Canada

Any regex experts here? False positives CPanel mod_security

Post by Sapphyre » Fri Apr 04, 2014 10:47 pm

It's the visitor's innocent User-Agent string causing an issue seemingly because it contains the word mail ?:
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; (mail.com/1.0.0.8))"


[Fri Apr 04 12:24:30 2014] [error] [client 142.177.xx.xx] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "146"] [id "1234123446"] [msg "System Command Injection"] [data "; (mail"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "nsh............com"] [uri "/"] [unique_id "Uz7cvkBc0bAAAAdJXmEAAAAL"]

I can't figure out where "mail" is matching in this regex though. Either need to change that bit somehow or exempt the user-agent string.
It's a crested auklet

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Re: Any regex experts here? False positives CPanel mod_secur

Post by Arf » Sat Apr 05, 2014 11:22 am

Don't do it. Instead, add the ID and URI to your white list rather than modifying mod_Security. It appears that you possibly took out information I'd need to help in the [uri "/"]. In place of that I'm just going to use /wp-admin/ in the example:

Modify /usr/local/apache/conf/whitelist.conf by simply adding this (with the correct URI)

<LocationMatch "/wp-admin/">
SecRuleRemoveById 1234123446
</LocationMatch>

* If you didn't modify the URI in your example, then this may be a legit flag because it means that your client or their program is trying to access the root directory of the server.

I've done this dozens of times with favorable results. The worst that has happened it I had a typo and didn't fix the problem until I corrected it

User avatar
Sapphyre
Official Test Penquin
Posts: 3337
Joined: Tue Nov 19, 2002 2:50 am
Location: Canada

Re: Any regex experts here? False positives CPanel mod_secur

Post by Sapphyre » Sat Apr 05, 2014 7:24 pm

No, I didn't alter that URI - it results from a normal GET of the homepage of a website.

[04/Apr/2014:12:24:30 -0400] "GET / HTTP/1.0" 501 63398

Anyone having mail.com in their user-agent can trigger this innocently visiting any page on any site :(
mail.com is a webmail service offered by 1&1. They have integrations for the users with IE,FF,Chrome,Android,iPhone/iPad ...

I might have seen it if I looked at the full rule in the config file! I finally realized it was truncated there in the log.
this 'kill or mail' which appears twice in the rule
(?:kil|mai)l
could be changed perhaps to read 'kill' or 'mail-not followed-by-dot-com' ? Ensure it's a DOT not a wildcard! ;) !
It's a crested auklet

User avatar
Sapphyre
Official Test Penquin
Posts: 3337
Joined: Tue Nov 19, 2002 2:50 am
Location: Canada

Re: Any regex experts here? False positives CPanel mod_secur

Post by Sapphyre » Sun Nov 02, 2014 6:15 pm

I changed it so it no longer catches visitors with mail.com is their user-agent:

"phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1,id:1234123396"
SecAction pass,nolog,skipAfter:1234123446,id:1234123395
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \
"(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kill|mail\.ru|mail )|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kill|mail\.ru|mail )|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
It's a crested auklet

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests