ModSecurity Auto Updater

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
Sorry, didn't work. I did rem that line out and restarted apache, and cleared out the /var/asl/data/audit directory again. A few seconds later, I saw this:

drwxrwx--- 3 nobody nobody 4096 Dec 29 11:49 ./
drwxr-xr-x 5 root root 4096 Mar 1 2011 ../
drwxr-x--- 3 nobody nobody 4096 Dec 29 11:49 20111229/
[email protected] [/var/asl/data/audit]#

inside the 20111229/ folder is another folder: 20111229-1149/
Inside that folder is: 20111229-114933-TvyoLdC0HLYAAAgyxeUAAAAa

This file is a log file that looks like this:

--6e10773e-B--
HEAD /v1site_images/splash3.jpg?var=0.21215300%201294395324 HTTP/1.1
Host: domainname.tld
Connection: close
User-Agent: Baiduspider-image+(+???????????Baiduspider)
Accept: */*

--6e10773e-F--
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html; charset=iso-8859-1

--6e10773e-H--
Message: Access denied with code 403 (phase 2). Match of "rx (/tags/|/shop/images/exclusive/)" against "REQUEST_URI" required. [file "/usr/local/apache/conf/modsec_rules/modsec/50_asl_rootkits.conf"] [line "89"] [id "390147"] [rev "10"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Malware attack: Known malware or remote shell"] [data "sh3.jpg?"] [severity "CRITICAL"]
Apache-Error: [file "core.c"] [line 3706] [level 3] File does not exist: /home/xxxxxxx/public_html/403.shtml
Action: Intercepted (phase 2)
Stopwatch: 1325180973376755 19915 (- - -)
Stopwatch2: 1325180973376755 19915; combined=1186, p1=123, p2=1045, p3=0, p4=0, p5=17, sr=43, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.0 (ModSecurity: Open Source Web Application Firewall).
Server: Apache

--6e10773e-Z--


So basically every block by mod security is getting logged in here and that will very quickly fill up the directories..
Please check on your MODSEC2.CONF file, if you have the following command line:
SecAuditLog logs/modsec_audit.log

The info that you are showing has to be saved on /usr/local/apache/logs/modsec_audit.log in order for CSF to work, then CSF will flush that log file every hour. If your server is saving that info in the /var/asl directory then you have to check what command line is doing this.

Sergio
 

gkgcpanel

Well-Known Member
Jun 6, 2007
214
1
166
cPanel Access Level
DataCenter Provider
Please check on your MODSEC2.CONF file, if you have the following command line:
SecAuditLog logs/modsec_audit.log

The info that you are showing has to be saved on /usr/local/apache/logs/modsec_audit.log in order for CSF to work, then CSF will flush that log file every hour. If your server is saving that info in the /var/asl directory then you have to check what command line is doing this.

Sergio
Already taken care of. The problem was this line:

SecAuditLogType Concurrent

Removing it stopped those messages in /var/asl/data/audit.

They are still logging in /usr/local/apache/logs/modsec_audit.log

Thanks for the help.
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
Already taken care of. The problem was this line:

SecAuditLogType Concurrent

Removing it stopped those messages in /var/asl/data/audit.

They are still logging in /usr/local/apache/logs/modsec_audit.log

Thanks for the help.
That is the other command line that I was ready to tell you, nice you fix it.

Happy New Year !!!

Sergio
 

mikegotroot

Well-Known Member
Verifed Vendor
Apr 29, 2008
85
1
58
Thank you for fixing the file, next time I will do what you say.
I wish I could say we fixed something, but we didn't. I fear you may have cached something on your end if the file looks differently to you now. Otherwise, nothings changed on our end. Regardless, if you have an issue, please contact support, they would be happy to help you.
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
As some of you have been asking,
there has no been any changes on the Auto Updater, it has been working very stable.

I have redesigned the page a little bit just not to look the same.

Regards,

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
UPDATE
Today a new set of rules has been issued on the payed rules that doesn't work with CPanel if ASL is not installed.

If after you do the update you see 404 errors on php pages it is because of the following rule:
70_asl_csrf_experimental.conf
my autoupdater has been modified and now it is ver. 1.08

Sergio
 
Last edited:

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
UPDATE
Rule 340152, from the new set of rules 15_asl_paranoid_rules.conf seems to block any access to php admin pages. Users of CMC can disable 340152 globally, I will be monitoring the new paranoid rule to see if this is only for users of ASL and disable it from my autoupdater in case it gives more errors.

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
Thanks for the heads up, it doesnt look like asl-lite installs this file.
Thanks d'argo, that is good to know.
Then the warning will be for users of the free set of rules and for the ones that are not using ASL-Lite.

It will be great to know if the new ASL-Lite doesn't includes the new rule "15-paranoid".

Sergio
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
UPDATE
Confirmed, rule 15_asl_paranoid_rules.conf is causing a lot of issues, a new version of the AutoUpdater (1.09) has been released.

Sergio
 
Last edited:

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
Good News:
CPanel has released Mod_Security Ver. 2.6.7

Install it using EasyApache.
 

Secmas

Well-Known Member
Feb 18, 2005
378
20
168
Thanks for the update. Any significant changes when updating to this version that we should be aware of?
May be this can answer your question:

From Ryan Barnett on ModSec list:

Question for the lists – if you are not running the latest version of ModSecurity (v.2.6.7), what are the reasons why you have not upgraded?

I ask this question because we are constantly adding new features to ModSecurity that can then be leveraged with the OWASP ModSecurity CRS. For example, we have added some new actions:

ver – which will hold the rule package data. Example - "id:'959901',ver:'OWASP_CRS/2.2.5',…"
maturity – which will give the user a better idea of how well tested the rule is. Example - "id:'959901',ver:'OWASP_CRS/2.2.5',maturity:'9'…"
accuracy – which will give the user a better idea of the potential false positive/false negative rates. Example - "id:'959901',ver:'OWASP_CRS/2.2.5',maturity:'9',accuracy:'9'…"

These new features are valuable and I am looking to add them to the OWASP CRS however there is no good way to make this backward compatible. If you are using an older version of ModSecurity then it will fail on an Apache restart as it won't recognize these new actions.

So, I am looking to better understand why users are not always upgrading the latest versions. One issue might be that many users simply use the OS repos to install ModSecurity rather than compiling from source. If this is the case, then perhaps we can work better with these repo owners to get the latest/greatest versions out in the repos sooner.

Thanks.
 

d'argo

Active Member
Jul 4, 2012
36
0
6
cPanel Access Level
Root Administrator
It will be great to know if the new ASL-Lite doesn't includes the new rule "15-paranoid".
im running latest and its not included. i asked scott about it, and he said its a special file for DIY types. heres a link from the atomic webpage and a quote.

"These are a special version of the 10_asl_rules.conf file. These rules do not contain any known safe mode application tuning exceptions or bypasses. These rules will generate false positives. These rules are made available for users that wish to tune their own rules, and do not wish to use a ruleset that has been tuned for false positives."

so unless you want to tune your own rules, looks like you dont need these.
 

dmacleo

Active Member
Jan 28, 2012
44
0
56
cPanel Access Level
Root Administrator
been studying on how to best implement and keep stuff updated and ran across this.
looking like it will help me a lot.
thank you very much.
 

activa

Well-Known Member
May 23, 2006
213
1
168
Morocco
cPanel Access Level
Root Administrator
why not to make it more automated with downloading the latest rules directly

Code:
http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
and ignore the date based url .