Rule processing failed mod_cgi.c - ModSecurity

[007basaran]

Hello All,

I Have a little problem,

Log Details 1;

/usr/local/apache/logs/error_log

ModSecurity: Rule processing failed (id=981138) [hostname "xxx"]

Log Details 2;

/usr/local/apache/logs/modsec_audit.log

--dd51573f-H--
Message: Rule processing failed (id=981138)
Apache-Handler: cgi-script
Stopwatch: 1488926106634085 1247972 (- - -)
Stopwatch2: 1488926106634085 1247972; combined=3354, p1=309, p2=2703, p3=0, p4=0, p5=270, sr=38, sw=72, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0; CWAF_Apache.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

Thank you for help all.
Regards.

 

[cPanelMichael]

Log Details 1;

/usr/local/apache/logs/error_log

ModSecurity: Rule processing failed (id=981138) [hostname "xxx"]

Hello,

Do you notice any additional output just before and after that entry in the Apache error log? If so, please post that output as well.

Thank you.

 

[007basaran]

Hello,

Just There;

tail -f /usr/local/apache/logs/error_log

[Wed Mar 08 15:52:34.758724 2017] [:error] [pid 18615] [client 77.88.47.45] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvEuI4u6bzIjCRXzqKcwAAAAc"]
[Wed Mar 08 15:52:36.415060 2017] [:error] [pid 18616] [client 100.43.85.2] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/sro-server"] [unique_id "WMBvFIH4a6ODfBvHrCJOAwAAAAg"]
[Wed Mar 08 15:52:54.456476 2017] [:error] [pid 17567] [client 193.34.173.130] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/instagrama-geostickers-ozelligi-geldi/"] [unique_id "WMBvJpy9Dyf0VmV6FuEVcQAAAAE"]
[Wed Mar 08 15:53:21.874124 2017] [:error] [pid 18339] [client 66.155.5.4] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvQTfnBnlJaC@mnMb7twAAAAI"]
[Wed Mar 08 15:53:28.622818 2017] [:error] [pid 17567] [client 35.164.65.53] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvSJy9Dyf0VmV6FuEVgwAAAAE"]
[Wed Mar 08 15:53:40.028509 2017] [:error] [pid 18615] [client 13.112.204.11] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/instagrama-geostickers-ozelligi-geldi/"] [unique_id "WMBvVOI4u6bzIjCRXzqKhAAAAAc"]
[Wed Mar 08 15:53:45.386652 2017] [:error] [pid 18650] [client 89.145.95.69] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/oyuntarzim-com-minecraft-premium-cekilisi-minecraft-herseyi-degisen-hesab/"] [unique_id "WMBvWTx7uZe9WEFvKUN4xwAAAAw"]
[Wed Mar 08 15:53:51.128098 2017] [:error] [pid 17568] [client 35.154.100.103] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/"] [unique_id "WMBvX43cz6TLFsVvPUHVBwAAAAM"]
[Wed Mar 08 15:53:51.670023 2017] [:error] [pid 18339] [client 52.43.248.29] ModSecurity: Rule processing failed (id=981138) [hostname "xxx"] [uri "/instagrama-geostickers-ozelligi-geldi/"] [unique_id "WMBvXzfnBnlJaC@mnMb7wgAAAAI"]
[Wed Mar 08 15:54:01.624274 2017] [:error] [pid 17568] [client 151.135.197.36] ModSecurity: Rule processing failed (id=981138) [hostname "xxxx] [uri "/MultivizyonDestek/mb4040.html"] [unique_id "WMBvaY3cz6TLFsVvPUHVCwAAAAM"]

Thanks.

 

[cPanelMichael]

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[John Napoletano]

Was there a solution to this problem? I am having the same issue with rule id 981138.

 

[007basaran]

John Napoletano

Yes,

Disable Selected Modsecurity Rules

Look this image : image.prntscr.com/image/b23ab361b39e439898829da15e17bca5.png

 

[John Napoletano]

Thanks for the image. Looks like you disabled major security features: Protocol, XSS, SQLI. Any thoughts on that, did you have to look or do anything else to compensate?

I can see the one rule in WHM and it can be disabled. Why didn't you just disable the one rule?

#
# Check Client IP against ProjectHoneypot's HTTP Blacklist
# Ref: Http:BL Application Programming Interface (API) | Project Honey Pot
#
# Must register for an HttpBL API Key and configure SecHttpBlKey directive
# in the modsecurity_crs_10_setup.conf file.
# Ref: Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub
#
SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" "id:'981138', phase:request, capture, nolog,pass,t:none, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation', tag:'reputation-Malicious IP', tag:'IP_REPUTATON/MALICIOUS_CLIENT', chain, setvar:tx.httpbl_msg=%{tx.0}"
SecRule TX:httpbl_msg "RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" "t:none, capture, setvar:tx.httpbl_msg=%{tx.1}"

 

[fuzzylogic]

This is a complex situation to troubleshoot. From the first post the modsec_audit.log shows...

Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0; CWAF_Apache.

This indicates that both OWASP CRS and Comodo Rules are enabled.
While these 2 rule sets have totally different id numbering the Comodo set is essentially the OWASP rules with more production ready configuration and specific rules added for known vulnerable files and exploits.
So when they share so much code in common when you run them simultaneously the do wasteful things like setting the same variables twice and running many near identical rules.
I would not run these two rule sets together.

To add to this complexity the image url posted by 007basaran of the OWASP Vendor .conf files shows that the OWASP CRS is cPanel's older version, not the newer OWASP3 now available in the Vendors section. The older version was in Traditional Blocking mode which caused a large amount of false positive blocks.

The same image (as John pointed out) has Protocol, XSS and SQLI .confs disabled. Rule 981138 is not in any of these 3 files it is in REQUEST-10-IP-REPUTATION.conf. So disabling those 3 files could not possibly have fixed this problem.

My recommendation would be for 007basaran to disable the OWASP ruleset and use just the Comodo rule set with all the .conf files enabled. That would have the added benefit of removing rule 981138

All that said, I don't think any of those things are the cause of this problem.
I suspect it has to do with the connection to dnsbl.httpbl.org
Firstly check that you have obtained a key from dnsbl.httpbl.org and have entered it into...
Security Center » ModSecurity Configuration » Project Honey Pot Http:BL API Key text field.
In rule 981138 modsecurity's rbl operator is used to build a url by concatenating the...
honeypotkey + the TX:REAL_IP + dnsbl.httpbl.org
and ends up with something like honeypotkey.2.1.9.127.dnsbl.httpbl.org which it uses to do a nslookup.
You can test it from the command line of your server with...
nslookup honeypotkey.2.1.9.127.dnsbl.httpbl.org
If the ip is in the blacklist what looks like an ip address is returned
127.3.5.1
The last digit indicates what kind of threat the ip poses.
0 = Search Engine
1 = Suspicious
2 = Harvester
4 = Comment Spammer

So if you have a honeypot key and have tested from the command line and are still not getting either
NXDOMAIN or an ip address
as the response then you may have to look at your server's resolvers.
dnsbl.httpbl.org rate limits requests from each ip.
The ip appearing to dnsbl.httpbl.org as making the lookup is one of your resolvers.
Often a google ip is used as the resolver because of their speed and reliability, but when all these requests hit dnsbl.httpbl.org then that resolvers ip gets rate limited.
There is a few things you can do to avoid this problem.
Use dns servers other than Google's as your Primary, Secondary and Tertiary resolvers.