OWASP - mod security and wordpress

Status
Not open for further replies.

wrender

Well-Known Member
Sep 29, 2007
69
3
58
I feel your pain of the ModSecurity OWASP false positives. It seems to be that especially with WordPress there are a lot of false positives with different plugins (Probably same reason it always gets hacked). I don't think it is really either a problem with cPanel, or with ModSecurity though.

The OWASP rules for ModSecurity are designed to provide "Generic Attack Detection" so naturally they are going to block out some good web traffic to valid applications too as they are overly secure. In this case they seem to be so secure they create a lot of false positives which is a nightmare for a small business to whitelist.

For us a couple of setups that are working well:

Option 1 - (Commercial rules, with some basic OWASP rules enabled).

1. Buy a subscription to the Trustwave Commercial ModSecurity rules (Or other commercial mod security rule vendor), and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in your ModSecurity Vendor Configuration:

modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512).
rules/REQUEST-01-COMMON-EXCEPTIONS.conf
rules/REQUEST-10-IP-REPUTATION.conf
rules/REQUEST-12-DOS-PROTECTION.conf
rules/REQUEST-13-SCANNER-DETECTION.conf
rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
rules/REQUEST-21-PROTOCOL-ATTACK.conf
rules/REQUEST-49-BLOCKING-EVALUATION.conf
rules/RESPONSE-59-BLOCKING-EVALUATION.conf
rules/RESPONSE-80-CORRELATION.conf

2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

Code:
# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf
* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: /https://github.com/wrender/modsecurity-whitelist-apps If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
What good does yet another github project for modsec accomplish? OWASP needs reports of false positives to make the rules any better, and you're hoping to get folks to contribute to your repository and theirs (I guess) or just yours?

What good does running a paid version ($495 bucks a year?) and a free version accomplish, really?
* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)
We're getting what we paid for right now. And, it sucks. These OWASP rules just plain suck. Untested it seems on just about everything. But with our help! Things will improve over time.

This, from Brian Oates from cPanel on the EDGE mailing list, just today:

One of our original goals with the OWASP ModSecurity Rule Set distribution was to provide OWASP’s maintainers with constant feedback from server owners utilizing the rule set so that it could be consistently improved upon. Lack of rule set feedback was one of OWASP’s maintainers' chief frustrations that they communicated to us. Therefore, both ourselves and OWASP would like to encourage everyone to utilize this reporting feature.
OWASP's github is all but dead as far as feedback, so are their mailing lists from what I can tell. But hey, lets fragment the discussion into yet another github repository anyway, why not?

Personally, I've got more important things to be doing than assisting OWASP and cPanel to come up with a basic set of rules that work. I may try them again at some point after you guys get the bugs worked out of them, but for now, hell no. The way things are going, that might be years from now, one rule ID at a time.

cPanel's implementation of this new ModSec setup is coming along great, I'm really enjoying seeing the efforts here to make all this easier for us. But, the OWASP rulesets are the weakest, untested, part of the equation right now. And, it seems for some time to come, going by the public feedback I've been reading.

Sign up for and follow the OWASP repository on GitHub and their mailing list. No worries, both are very low traffic.
 

wrender

Well-Known Member
Sep 29, 2007
69
3
58
Infopro,

I think you are a bit confused of the security model for the OWASP ruleset for ModSecurity. It is designed as a "generic attack detection" so it will always have false positives. See here: https://www3.trustwave.com/modsecurity-rules-support.php (Unless this has changed recently and then I am mistaken).

My hopes would be that this whitelist is available to anyone using the OWASP rules, to eliminate false positives per web application type. Yes. That is why we put it on github, and anyone has access to it.

The commercial version of security rules intercept specific attack vector locations, the OWASP rule set does not, and intercepts generic attacks. So that is the advantage of using paid versions of rules: that they don't have as many false positives, and protect against known attacks/attack vector locations.

What good does yet another github project for modsec accomplish? OWASP needs reports of false positives to make the rules any better, and you're hoping to get folks to contribute to your repository and theirs (I guess) or just yours?

What good does running a paid version ($495 bucks a year?) and a free version accomplish, really?


We're getting what we paid for right now. And, it sucks. These OWASP rules just plain suck. Untested it seems on just about everything. But with our help! Things will improve over time.

This, from Brian Oates from cPanel on the EDGE mailing list, just today:



OWASP's github is all but dead as far as feedback, so are their mailing lists from what I can tell. But hey, lets fragment the discussion into yet another github repository anyway, why not?

Personally, I've got more important things to be doing than assisting OWASP and cPanel to come up with a basic set of rules that work. I may try them again at some point after you guys get the bugs worked out of them, but for now, hell no. The way things are going, that might be years from now, one rule ID at a time.

cPanel's implementation of this new ModSec setup is coming along great, I'm really enjoying seeing the efforts here to make all this easier for us. But, the OWASP rulesets are the weakest, untested, part of the equation right now. And, it seems for some time to come, going by the public feedback I've been reading.

Sign up for and follow the OWASP repository on GitHub and their mailing list. No worries, both are very low traffic.
 
  • Like
Reactions: October

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
cPanel's implementation of this new ModSec setup is coming along great, I'm really enjoying seeing the efforts here to make all this easier for us. But, the OWASP rulesets are the weakest, untested, part of the equation right now. And, it seems for some time to come, going by the public feedback I've been reading.
Quoted for truth.
 

Vliegtuig

Well-Known Member
Jan 21, 2010
74
2
58

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Not sure if I am the only one with this problem, but when reporting a rule, I get the following error:

Code:
The system was unable to submit the request: curl: (22) The requested URL returned error: 500 Internal Server Error
An additional side-effect of this error: we cannot disable it through the web interface.

In particular, we are receiving a *lot* of false positives caused by rule 950901, which looks for SQL tautologies. This rule seems to be very outdated because it lacks word boundaries. This problem ahs been discussed here in 2013: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2013-June/001418.html.

It seems that the ruleset has not been updated to reflect this obvious bug yet.
To clarify, when you see the rule in the Hits list, and then you click, More, to the right side of listing, when that area expands you see the Report this hit button, bottom left corner. When you click that, and fll in all forms and click Review Report, what happens next, exactly?

Thanks.
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter

Vliegtuig

Well-Known Member
Jan 21, 2010
74
2
58
To clarify, when you see the rule in the Hits list, and then you click, More, to the right side of listing, when that area expands you see the Report this hit button, bottom left corner. When you click that, and fll in all forms and click Review Report, what happens next, exactly?

Thanks.
"Review report" works fine, but when clicking on "Submit" on the next page, I get the following error:View attachment 27211
 

Attachments

Last edited:

JaredR.

Well-Known Member
Feb 25, 2010
1,834
27
143
Houston, TX
cPanel Access Level
Root Administrator
The problem of a 500 error when trying to report ModSecurity rule hits has already been reported to our developers. The internal case for this is 174401. There is no estimate for when this will be addressed in a public build, but when it is, it will be mentioned in our changelog by that case number. You can view our changelog at any time at this URL:

http://changelog.cpanel.net

Or, in the WebHost Manager, you can click Home » cPanel » Change Log.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
13
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Not sure if I am the only one with this problem, but when reporting a rule, I get the following error:
Code:
The system was unable to submit the request: curl: (22) The requested URL returned error: 500 Internal Server Error
The problem of a 500 error when trying to report ModSecurity rule hits has already been reported to our developers. The internal case for this is 174401. There is no estimate for when this will be addressed in a public build, but when it is, it will be mentioned in our changelog by that case number.
Case 174401 and the Internal Server Error, seen when reporting OWASP rule hits, is now resolved after corrective changes on the modsecurity.org systems that receive and process report submissions.

The only other known issue with reporting at this time is from servers with an OS older than CentOS 6, such as CentOS 5, where an SSL warning is presented because the OS doesn't include a recent-enough CA bundle that is necessary to verify the SSL certificate used on modsecurity.org. This remaining issue is being tracked via internal Case 174373. Upon resolution this case number will be mentioned in an upcoming change-log entry at https://go.cpanel.net/changelog.
 

sonicthoughts

Well-Known Member
Apr 4, 2011
61
3
58
I feel your pain of the ModSecurity OWASP false positives. It seems to be that especially with WordPress there are a lot of false positives with different plugins (Probably same reason it always gets hacked). I don't think it is really either a problem with cPanel, or with ModSecurity though.

The OWASP rules for ModSecurity are designed to provide "Generic Attack Detection" so naturally they are going to block out some good web traffic to valid applications too as they are overly secure. In this case they seem to be so secure they create a lot of false positives which is a nightmare for a small business to whitelist.

For us a couple of setups that are working well:

Option 1 - (Commercial rules, with some basic OWASP rules enabled).

1. Buy a subscription to the Trustwave Commercial ModSecurity rules (Or other commercial mod security rule vendor), and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in your ModSecurity Vendor Configuration:

modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512).
rules/REQUEST-01-COMMON-EXCEPTIONS.conf
rules/REQUEST-10-IP-REPUTATION.conf
rules/REQUEST-12-DOS-PROTECTION.conf
rules/REQUEST-13-SCANNER-DETECTION.conf
rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
rules/REQUEST-21-PROTOCOL-ATTACK.conf
rules/REQUEST-49-BLOCKING-EVALUATION.conf
rules/RESPONSE-59-BLOCKING-EVALUATION.conf
rules/RESPONSE-80-CORRELATION.conf

2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

Code:
# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf
* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: /https://github.com/wrender/modsecurity-whitelist-apps If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.
In the absence of cpanel taking a stake in providing solid vendor rules, this is a great step forward. thanks!
 

iso99

Well-Known Member
Jan 5, 2011
112
7
68
cPanel Access Level
Root Administrator
I feel your pain of the ModSecurity OWASP false positives. It seems to be that especially with WordPress there are a lot of false positives with different plugins (Probably same reason it always gets hacked). I don't think it is really either a problem with cPanel, or with ModSecurity though.

The OWASP rules for ModSecurity are designed to provide "Generic Attack Detection" so naturally they are going to block out some good web traffic to valid applications too as they are overly secure. In this case they seem to be so secure they create a lot of false positives which is a nightmare for a small business to whitelist.

For us a couple of setups that are working well:

Option 1 - (Commercial rules, with some basic OWASP rules enabled).

1. Buy a subscription to the Trustwave Commercial ModSecurity rules (Or other commercial mod security rule vendor), and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in your ModSecurity Vendor Configuration:

modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512).
rules/REQUEST-01-COMMON-EXCEPTIONS.conf
rules/REQUEST-10-IP-REPUTATION.conf
rules/REQUEST-12-DOS-PROTECTION.conf
rules/REQUEST-13-SCANNER-DETECTION.conf
rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
rules/REQUEST-21-PROTOCOL-ATTACK.conf
rules/REQUEST-49-BLOCKING-EVALUATION.conf
rules/RESPONSE-59-BLOCKING-EVALUATION.conf
rules/RESPONSE-80-CORRELATION.conf

2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

Code:
# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf
* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: /GitHub - wrender/modsecurity-whitelist-apps: This repository is for people to contribute common ModSecurity web application false positive whitelists. If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.

I'm re-thinking of using OWASP again on my new server. It's good that I've found your project. Thanks for this! I'll try to contribute as much as possible. :)
 

epaslv

Member
May 18, 2010
22
0
51
Melbourne, Australia
cPanel Access Level
Root Administrator
My personal experience has been terrible.

I enabled the OWASP ModSecurity Rules thinking they were ready for production, being available in RELEASE tier. It pretty much screwed up more that 50% of CMS sites.

Various redirections not working, infinate loops, unable to login etc, and our support department spent the whole day screening issues.

I quickly uninstalled it from all our servers to restore services. I am surprised they are even made available, were they even tested?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

For others who are considering the OWASP ruleset for the first time, it's important to review the following document:

OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

In particular, pay close attention to this section:

What are the risks?
As with any mechanism that blocks web traffic, there is the risk that the rules could block legitimate traffic (false positives). While both OWASP and cPanel, Inc. aim to curate the OWASP rule set to reduce the potential for false positives, there is a risk that the rule set may block legitimate traffic. Review theModSecurity Tools (Home >> Security Center >> ModSecurity™ Tools) interface routinely to evaluate the traffic that the rule set blocks and whether these blocks affect legitimate users.
This is a core rule set that requires monitoring and fine tuning.

Thank you.
 

hrace009

Well-Known Member
Dec 24, 2013
75
10
8
Root
cPanel Access Level
Root Administrator
Twitter
2. And enable these commercial rules in the bottom of your /usr/local/apache/conf/modsec2.user.conf file:

Code:
# Include Trustwave Commercial Modsecurity Rules
Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
Include conf/slr_vuln_rules/botnet_attacks/*.conf
Include conf/slr_vuln_rules/dos_attacks/*.conf
Include conf/slr_vuln_rules/webshell_backdoors/*.conf
* I think this method will always be a better way, because you are basically paying for a commercial rule set that will always have better protection with almost no false positives. (you get what you pay for!)

Option 2 - (Only OWASP Rules Loaded)

1. Enable all of the OWASP rule sets in your ModSecurity Vendors.
2. Create a whitelist repository, and start whitelisting any false positives for each application. (I would strongly recommend setting up an AuditConsole server, as it will really help with this).

I’ve started an OWASP whitelist repository here: github.com/wrender/modsecurity-whitelist-apps If anyone is able to help contribute I think it would be very helpful to anyone running ModSecurity with all of the OWASP rules enabled.

** This is the very labor intensive way, because there are a lot of different false positives depending on which web applications you are running.
After find this, i would like to use OWASP again, instead commodo WAF
 
Last edited by a moderator:
Status
Not open for further replies.