1

I am quite new to Modsecurity and need some help to secure my development server.

I have Apache 2.4 installed with Mod Security 2.8.0

I have also installed OWASP ModSecurity Core Rule Set ver.3.2.0

Now, I am trying to block all requests that do not follow a specific REQUEST_URI pattern.

For example, I have this rule:

SecRule REQUEST_URI "!@rx (^(\/loc\/.*)$)" \ 
"id:1234, phase:1,log,deny,status:404, msg:'Block URI'"

When I access an URL different from mysite.com/loc/ from my browser the rule works and bloacks the request. The problem is: I see a lot of requests from attackers in Apache log that pass trough despite this rule, so I must be missing something.

My request via browser (identical to the attacker's one) gets blocked (from Apache log):

MY IP - - [18/Oct/2019:09:44:26 +0300] "GET /FxCodeShell.jsp?xxx HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

The request of the attacker gets passed (from Apache log):

Attacker IP - - [18/Oct/2019:03:37:03 +0300] "GET /FxCodeShell.jsp?xxx HTTP/1.1" 302 310 "http://XX.XX.XX.XX:80/FxCodeShell.jsp?xxx" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

Any suggestions why the rule does not kick in? What am I missing?

any help will be appreciated!

user3132858
  • 143
  • 2
  • 6
  • Why do you have `loc` in your rule and `FxCodeShell.jsp?xxx` in your example? Have you attempted to anonymise one but not the other? If so can you edit the question to bring these into line and make this clearer. – Barry Pollard Oct 22 '19 at 23:18
  • With the rule I have, I am only allowing access to `loc` folder and its contents. – user3132858 Oct 30 '19 at 09:14
  • With the rule I have, I am only allowing access to `loc` folder and its contents. The example with `/FxCodeShell.jsp?xxx` is that the rule works for me when I try to access that particular file via browser - I got a 404. The rule, however, did not work when an attacker tried to sent a `GET` request for the same `/FxCodeShell.jsp?xxx`file. The file does not exist but the server did not return 404 to the attacker as the rule specifies but returned a 302. – user3132858 Oct 30 '19 at 09:20
  • Can't explain this based on the information you have given. It's weird that you do a redirect - what is doing that? Suggest you turn on debugging by adding `SecDebugLogLevel 9` and a `SecDebugLog` directive to see if an other rule is kicking in first. Note that this may produce a lot of logs. – Barry Pollard Oct 30 '19 at 10:14

0 Answers0