csf does not BAN ip for all rules. some rules just blocked on modsec, other rules ban IP

leonep

Well-Known Member
Nov 18, 2014
189
13
68
Pescara
cPanel Access Level
Root Administrator
Hi,
I have ModSecurity 2.9 and OWASP Rule v3.3.0 running on my box Cloudlinux/nginx proxy/Apache 2.4 (+mod_remoteip)
Some rules ban IPs on CSF , other rules just block on moddesc and no CSF ban...
i have all triggers correctly in apache logs and correct setup in csf
MODSEC_LOG=/usr/local/apache/logs/error_log
LF_MODSEC
= 5
LF_MODSEC_PERM = 1


is this a normal behavior? i need to edit some default value?

example of RULE BANNING IP:
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
log,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

other rule not banning in CSF
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
"id:941310,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-tomcat',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


thanks
 
  • Like
Reactions: Avensen

leonep

Well-Known Member
Nov 18, 2014
189
13
68
Pescara
cPanel Access Level
Root Administrator
Hello,
Yes i have open support ticket , but CSF it's free product and there is no support .
i can try post on forum but it is not very visited by people ...
do you know if there is difference between actions deny and block ?
and do you know what is the mechanism in csf to ban ? csf parse the log file using some regex ?
thanks
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,426
1,633
363
cPanel Access Level
Root Administrator
That is how I'm assuming it happens - CSF reads the log file and pulls the IP and then adds it to their block list. I can't really speak about the inner workings because I just don't for sure. Even though the product is free, their forums and support have been fairly responsive over the years.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,653
329
438
Finland
cPanel Access Level
Root Administrator
I think it's not the rules but the error messages you should be looking at.
What is the difference between the error messages those rules trigger?

In file /usr/local/csf/lib/ConfigServer/RegexMain.pm you see how csf/lfd is reading MODSEC_LOG.
I am lousy in Regex so I don't really understand that code.
 

leonep

Well-Known Member
Nov 18, 2014
189
13
68
Pescara
cPanel Access Level
Root Administrator
thanks,
the only solution i find is to disable anomaly score and activate traditional mode
i edit crs-setup.conf:
SecDefaultAction "phase:2,deny,status:403,log"

about traditional mode documantation says:

Pros

  • The functionality of this mode is much easier for a new user to understand.
  • Better performance (lower latency/resources) as the first disruptive match will stop further processing.
Cons

  • Not all rules that could have triggered will be logged, only th first
  • Not every site has the same risk tolerance
  • Lower severity alerts may not trigger traditional mode
  • Single low severity alerts may not be deemed critical enough to block, but multiple lower severity alerts in aggregate could be
so in the end I don't mind the traditional mode.....
however it bothers me that I was able to make it work with anomaly score which is the suggested method

thanks