The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity OWASP 960009 catching PayPal IPN

Discussion in 'Security' started by angelleye, Jun 9, 2015.

  1. angelleye

    angelleye Active Member

    Joined:
    Nov 25, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas City, MO
    cPanel Access Level:
    Root Administrator
    Twitter:
    I just enabled the OWASP rules on my server and ran a test PayPal IPN from their simulator. The data was able to hit my script and run just fine, but it seemed kind of slow, and when I look at the ModSecurity Tools log I do see that it triggered a notice.

    NOTICE 200 960009: Request Missing a User Agent Header
    Request: POST /?AngellEYE_Paypal_Ipn_For_Wordpress&action=ipn_handler
    Action Description: Warning.
    Justification: Operator EQ matched 0 at REQUEST_HEADERS.

    How can I customize this rule to allow this without triggering a notice?

    I guess I would have the same question for any general customization I want to make. I can't seem to find a good tutorial or anything on reading the log to figure out exactly what was triggered, and then how to adjust the rule or the OWASP config files to allow what I want..??

    Any information on this would be greatly appreciated. Thanks!
     
  2. angelleye

    angelleye Active Member

    Joined:
    Nov 25, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas City, MO
    cPanel Access Level:
    Root Administrator
    Twitter:
    Here's another example I could use some help with. Running WordPress, any time I try to use the Empty Spam button from within comment spam it gets caught by OWASP thinking it's a SQL Injection attempt and redirects me to the home page. I've been deleting my spam through my database directly instead, but it would sure be nice to figure out how to adjust this rule so that stops happening.

    This is the request that it grabbed.
    Code:
    GET/wp-admin/edit-comments.php?s=&comment_status=spam&pagegen_timestamp=2015-06-09+16%3A20%3A27&_total=100&_per_page=20&_page=1&_ajax_fetch_list_nonce=a5debd75aa&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam&_wpnonce=c4352c54a3&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam&action=-1&comment_type=&_destroy_nonce=35e83c0444&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam&delete_all=Empty+Spam&paged=1&action2=-1&_destroy_nonce=35e83c0444&_wp_http_referer=%2Fwp-admin%2Fedit-comments.php%3Fcomment_status%3Dspam
    
    And the justification shows a regular expression pattern match...
    Code:
    Pattern match "(?i:([\\s'\"`\\(\\)]*?)([\\d\\w]++)([\\s'\"`\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\\(\\)]*?)(?!\\2)([\\d\\w]+)))" at ARGS:_wp_http_referer.
    
    I guess it's because the first parameter on the querystring is just an s..??
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Click the Rule ID on right side of page. The next page that opens has an option to disable.

    Please be sure to take the extra moment to report this as well. On the Tools page right of the Rule ID is an arrow to expand that block to find the "Report this Hit" button.
     
  4. angelleye

    angelleye Active Member

    Joined:
    Nov 25, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas City, MO
    cPanel Access Level:
    Root Administrator
    Twitter:
    When I click on the Rule ID it opens up a details page where it shows me the rule, and I do see a check box in there that's checked for "Enable Rule". Is this what you're talking about? If I uncheck that box here does it disable the entire rule the same as if I turned it off from the ModSecurity Vendors list, or would this only disable blocking traffic that matches the one particular log I clicked on??
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. angelleye

    angelleye Active Member

    Joined:
    Nov 25, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas City, MO
    cPanel Access Level:
    Root Administrator
    Twitter:
    That helped, thanks. I hadn't come across that specific guide.

    So do I understand correctly that each of the 21 "Sets Included" under ModSecurity Vendors consist of a number of individual rules (Rule ID)? So then disabling an individual rule through the Rule ID details would only disable that one rule, but leave everything else associated with that set enabled..??
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Correct. You should also know that you might be doing quite a bit of this, tweaking the rules to fit your server.

    GL!
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I've had to disable about 6 rules for what i believe to be false positives.
    Documentation on what each rule does is non existent.
    And I found that any documentation which does exists makes little or no sense.

    I'm now of the mind set, that the remaining rules should hopefully be giving me some protection, and some is better than none.
     
  9. angelleye

    angelleye Active Member

    Joined:
    Nov 25, 2011
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kansas City, MO
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've had my rules all cranked up here so far and I'm seeing lots of hits in the ModSecurity Tools log, but they all look like stuff I'd want blocked.

    What sort of requests were you getting that were triggering rules you had to disable?
     
  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I really don't know to be honest, it was about 3 months ago.
    I did pickup that GoogleBot was causing at least 2, even found that Google WebMasterTools was reporting my web sites down.

    I've just looked and i have disabled 960008, 960009, 960015, & 981138, but these might not work for your setup.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you run WHMCS, open settings page, and then click save.
    If you run a wordpress, xenforo forum or anything similar, open up your settings page and click save.
    As a only few examples of where your legit action might get blocked by ModSec.

    If something on your site no longer works, check ModSec Tools to see if this is why.
     
Loading...

Share This Page