csf does not BAN ip for all rules. some rules just blocked on modsec, other rules ban IP

[leonep]

Hi,
I have ModSecurity 2.9 and OWASP Rule v3.3.0 running on my box Cloudlinux/nginx proxy/Apache 2.4 (+mod_remoteip)
Some rules ban IPs on CSF , other rules just block on moddesc and no CSF ban...
i have all triggers correctly in apache logs and correct setup in csf
MODSEC_LOG=/usr/local/apache/logs/error_log
LF_MODSEC = 5
LF_MODSEC_PERM = 1


is this a normal behavior? i need to edit some default value?

example of RULE BANNING IP:
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
log,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

other rule not banning in CSF
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe" \
"id:941310,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-tomcat',\
tag:'attack-xss',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


thanks

 

[cPRex]

Hey there! If ModSecurity is processing the rules properly it sounds more like an issue with CSF. Have you reached out to their team at Technical Support to see if they are aware of these specific rule issues?

 

[leonep]

Hello,
Yes i have open support ticket , but CSF it's free product and there is no support .
i can try post on forum but it is not very visited by people ...
do you know if there is difference between actions deny and block ?
and do you know what is the mechanism in csf to ban ? csf parse the log file using some regex ?
thanks

 

[cPRex]

That is how I'm assuming it happens - CSF reads the log file and pulls the IP and then adds it to their block list. I can't really speak about the inner workings because I just don't for sure. Even though the product is free, their forums and support have been fairly responsive over the years.

 

[leonep]

et voilà

https://forum.configserver.com/viewtopic.php?t=12415

thanks

 

[cPRex]

Hopefully they are able to get you the details on the inner workings there!

 

[quietFinn]

I think it's not the rules but the error messages you should be looking at.
What is the difference between the error messages those rules trigger?

In file /usr/local/csf/lib/ConfigServer/RegexMain.pm you see how csf/lfd is reading MODSEC_LOG.
I am lousy in Regex so I don't really understand that code.

 

[leonep]

thanks,
the only solution i find is to disable anomaly score and activate traditional mode
i edit crs-setup.conf:
SecDefaultAction "phase:2,deny,status:403,log"

about traditional mode documantation says:

Pros

• The functionality of this mode is much easier for a new user to understand.
• Better performance (lower latency/resources) as the first disruptive match will stop further processing.

Cons

• Not all rules that could have triggered will be logged, only th first
• Not every site has the same risk tolerance
• Lower severity alerts may not trigger traditional mode
• Single low severity alerts may not be deemed critical enough to block, but multiple lower severity alerts in aggregate could be

so in the end I don't mind the traditional mode.....
however it bothers me that I was able to make it work with anomaly score which is the suggested method

thanks