4.2.2 update changed mod_security rule matching behaviour
Hi,
Last week we decided to update LS to 4.2.2, it has been out for a while so we assumed it would be a safe move. However things didn't run smoothly at all! We started getting a lot of false positives with the got_root rules leading to lots of 403 pages with some IP address blocks and a lot of support tickets to handle.
After a thorough check we saw that immediately after the upgrade a lot more web requests were being matched. At the time 3 rules were playing up and over the weekend 3 other rules have been whitelisted too. Oddly, those rules were previously regularly catching legitimate SQL injection attack requests and after the update we stopped seeing those being logged.
We haven't yet looked at the mod_security rule syntax, they seem like regexes, but this is a nice example of an odd match:
--340a1df9-H--
Message: [client 120.40.156.230] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI' '!(?:/install/index\.php|/index\.php\?mode=install&sub=create_table$|^/admin/test/examples/txtsqladmin/index\.php|^/store/images/|^/wp-admin/admin\.php\?page=wpsc-settings)'] [ID "340157"] [Msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection"] [severity "CRITICAL"] [MatchedString "lrefrkgcltzqgzetgbhyijchfcrgckvvuartrkkikbgfccayy ixpcjkngtioaeupnbocomungnuisnozbdmpfxsmbaeewmmlyvh rpwqcbqcknggohsfnexlgfoyswsreelitnvmbggbbpjqalstdd ocetizxdmwdkrtghfamzllabpfcpprahsvleapokymmvtqkpqr otfpdjpzdyvvlpphmaifihcnsxqehyiayrubrpbiqiwrrpxswr qfbcnbgkqxoscyirguwhibefqwylupzkxbtcazjnjqivhonagz txojkvjsnynwkkfayxgrzlazzjmnchttebagjymyeaixsgvdre zsfmvjecaxogrnkjdvrrwpjvjbxqiwumttmuugchztshigooqs zdyvvenpsgdodnmmlipdrgesdsjqrvqrxkdptqaxbpczsqtnew dloyialbnovmubvkhrhafzdbniufsmfactdjsvmlzbfafempqm elpfypwnaohmdqunjeiapwpzqirrwdqzrvfjysrkmmiijlhylk vbobcisdcevqjvlgllamjgwivknsvtctmxrqndiecrqrchukqn rgoowfgmeuspryqgmaftlvpyjbmrbknrrcmgfhrkrsctexwmsv jmsusaxoljrdafwnxerniouofivccyilckqtgnvafjimsmenxt modfnaaliikacfjtszbkzavpnembswhvxsmioworlzedkmyrfv wzebkxtwpwfrocojcdiczkbrnsxilkdgjoapiqhmyxhiemlfxq dmumirwbjxikgtkkhiswqzprjcvisyrpmllpxtdgzwhjlckgth hypzaqsiswfxhgikrvrltxuhuxuimavsmyfbqlyunhjyuwznyd mpyudvagfkfzcgandgtkyavclvmbypghtfeyijkbylgvenygrz wdvtwhsegorggtychjbtmffslccokakbiypibueotntealoejg egejjslvqvfjhorrqjopfdyenetlunjddnilcqdgzukggpsiik cpdyrijsycqqshkhkhuowppijipjpphpjpvzcvxmqxlocwphan tatzcrsyiddnzxfqqqdupsjuzznptesscuqrbxgyxxipbpywxt wxwgjrpskvznzfbxaudwjzqg"]
--
Our servers run either CloudLinux 5 32bit or version 6 64bit.
The above example is from a CL 5 box.
We're running the got_root 2.5 rules.
Let us know if you'd like full logs so you can take a better look at them. Currently we're moving back to 4.2.1.
Best Regards,
Jack
|
Linear Mode
